Auth bypass in Stoatchat

CVE-2025-71388

stoatchat (delta/Revolt) versions from 20241213-1 before 20250210-1 allow users with only ViewChannel (read) permission on a channel to fetch that channel's webhooks, including their tokens, because the webhook fetch endpoint checked for V…

Vulnerability class: IDOR (Insecure Direct Object Reference)

Affected products

  • Stoatchat — versions 20241213-1, 20250210-1

Weakness classification (CWE)

References