Login Sign Up

CVE-2026-23875

5.4 MEDIUM
Authentication Bypass

📋 TL;DR

CrawlChat versions before 0.0.8 lack proper permission checks for Discord bot commands, allowing any Discord guild member to inject malicious content into the AI knowledge base. This enables manipulation of chatbot responses to redirect users to malicious sites or leak information. All Discord servers using vulnerable CrawlChat versions are affected.

💻 Affected Systems

Products:
  • CrawlChat
Versions: All versions before 0.0.8
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Discord bot integration of CrawlChat; requires Discord guild membership but no special permissions.

📦 What is this software?

Crawlchat by Crawlchat

View all CVEs affecting Crawlchat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers poison the knowledge base with malicious links or misinformation, causing widespread phishing, malware distribution, or data exfiltration across all chatbot integrations.

🟠

Likely Case

Malicious users inject misleading information or redirects into frequently asked sections, compromising chatbot integrity and potentially enabling social engineering attacks.

🟢

If Mitigated

With proper permission controls, only authorized administrators can modify knowledge base content, preventing unauthorized manipulation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires Discord guild membership but no special permissions; simple Discord commands can trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.0.8

Vendor Advisory: https://github.com/crawlchat/crawlchat/security/advisories/GHSA-f484-62p4-6w4p

Restart Required: Yes

Instructions:

1. Update CrawlChat to version 0.0.8 or later. 2. Restart the CrawlChat service. 3. Verify the Discord bot has proper permission checks.

🔧 Temporary Workarounds

Disable Discord bot temporarily

linux

Temporarily disable the CrawlChat Discord bot integration until patching is complete.

systemctl stop crawlchat-discord-bot

Restrict Discord guild access

all

Temporarily restrict Discord guild membership to trusted users only.

🧯 If You Can't Patch

  • Monitor Discord bot logs for unauthorized knowledge base modification attempts.
  • Implement manual review process for all knowledge base changes before deployment.

🔍 How to Verify

Check if Vulnerable:

Check CrawlChat version; if below 0.0.8, the system is vulnerable.

Check Version:

crawlchat --version

Verify Fix Applied:

After updating to 0.0.8+, test Discord bot commands with non-admin users; they should be denied knowledge base modification.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized user attempting to use jigsaw emoji commands
  • Knowledge base modification from non-admin Discord users

Network Indicators:

  • Unusual Discord API calls to knowledge base endpoints from non-admin users

SIEM Query:

source="crawlchat" AND event="knowledge_base_update" AND user_role!="admin"

📊 Metadata

CVE ID: CVE-2026-23875
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-862
EPSS Score: 0.03% exploit probability (7th percentile)
Published: January 19, 2026
Last Updated: February 5, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23875, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)