Auth bypass in 1millionbot Millie Chat

CVE-2026-4400

Insecure Direct Object Reference (IDOR) vulnerability in 1millionbot Millie chat that allows private conversations of other users being viewed by simply changing the conversation ID. The vulnerability is present in the endpoint 'api.1milli…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.001 (18.5th percentile) — read the EPSS interpretation.

Affected products

1millionbot Millie Chat — versions 3.6.0

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-1millionbot…