Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Multiple vulnerabilities in the HiJiffy chatbot

Posted date 17/03/2026
Identificador
INCIBE-2026-230
Importance
3 - Medium
Affected Resources

HiJiffy Chatbot.

Description

INCIBE has coordinated the publication of 2 medium severity vulnerabilities, affecting the Chatbot of HiJiffy, a communications center for guests. The vulnerabilities were discovered by David Utón Amaya (m3n0sd0n4ld).

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • From CVE-2026-4262 to CVE-2026-4263: 6.9 | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | CWE-863
Solution

HiJiffy recommends updating to the latest available version.

Detail

An incorrect authorization vulnerability has been found in HiJiffy Chatbot. The list of assigned parameters and identifiers is as follows:

  • CVE-2026-4262: this vulnerability allows an attacker to download private messages from other users via the parameter 'ID' in '/api/v1/download/<ID>/'.
  • CVE-2026-4263: this vulnerability allows an attacker to access private messages from other users via the parameter 'visitor' in '/api/v1/webchat/message'. 
CVE
Identificador CVE Severidad Explotación Fabricante
References list
Guest Communications Hub | HiJiffy
Etiquetas