Auth bypass in Stoatchat
CVE-2025-71388
stoatchat (delta/Revolt) versions from 20241213-1 before 20250210-1 allow users with only ViewChannel (read) permission on a channel to fetch that channel's webhooks, including their tokens, because the webhook fetch endpoint checked for V…
Vulnerability class: IDOR (Insecure Direct Object Reference)
Affected products
- Stoatchat — versions 20241213-1, 20250210-1
Weakness classification (CWE)
References
- disclosure@vulncheck.com (vendor-advisory)
- disclosure@vulncheck.com (patch)
- disclosure@vulncheck.com (third-party-advisory)