CVE-2026-22663: CWE-862 Missing Authorization in prompts.chat
prompts.chat prior to commit 7b81836 contains multiple authorization bypass vulnerabilities due to missing isPrivate checks across API endpoints and page metadata generation that allow unauthorized users to access sensitive data associated with private prompts. Attackers can exploit these missing authorization checks to retrieve private prompt version history, change requests, examples, current content, and metadata including titles and descriptions exposed via HTML meta tags.
AI Analysis
Technical Summary
The vulnerability CVE-2026-22663 in prompts.chat arises from missing authorization checks (CWE-862) on private prompt data. Specifically, the application fails to verify the isPrivate status across various API endpoints and in the generation of page metadata. This omission enables attackers without any privileges to retrieve sensitive information associated with private prompts, including their version history, change requests, examples, current content, and metadata exposed through HTML meta tags. The CVSS 4.0 base score is 8.7, reflecting a high severity due to network attack vector, no required privileges or user interaction, and high impact on confidentiality. No patch or official remediation guidance is currently available, and the product is not a cloud service, so remediation depends on the vendor releasing a fix.
Potential Impact
Unauthorized users can access sensitive private prompt data that should be restricted, including version histories, change requests, examples, current content, and metadata. This exposure can lead to confidentiality breaches of potentially sensitive or proprietary information stored in private prompts. There is no indication of integrity or availability impact. No known exploits have been reported in the wild so far.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is provided, users should monitor vendor communications for updates. Until a fix is available, restricting access to the affected versions or disabling the vulnerable functionality may reduce risk. No vendor advisory states that no action is required or that the issue is mitigated.
CVE-2026-22663: CWE-862 Missing Authorization in prompts.chat
Description
prompts.chat prior to commit 7b81836 contains multiple authorization bypass vulnerabilities due to missing isPrivate checks across API endpoints and page metadata generation that allow unauthorized users to access sensitive data associated with private prompts. Attackers can exploit these missing authorization checks to retrieve private prompt version history, change requests, examples, current content, and metadata including titles and descriptions exposed via HTML meta tags.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-22663 in prompts.chat arises from missing authorization checks (CWE-862) on private prompt data. Specifically, the application fails to verify the isPrivate status across various API endpoints and in the generation of page metadata. This omission enables attackers without any privileges to retrieve sensitive information associated with private prompts, including their version history, change requests, examples, current content, and metadata exposed through HTML meta tags. The CVSS 4.0 base score is 8.7, reflecting a high severity due to network attack vector, no required privileges or user interaction, and high impact on confidentiality. No patch or official remediation guidance is currently available, and the product is not a cloud service, so remediation depends on the vendor releasing a fix.
Potential Impact
Unauthorized users can access sensitive private prompt data that should be restricted, including version histories, change requests, examples, current content, and metadata. This exposure can lead to confidentiality breaches of potentially sensitive or proprietary information stored in private prompts. There is no indication of integrity or availability impact. No known exploits have been reported in the wild so far.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is provided, users should monitor vendor communications for updates. Until a fix is available, restricting access to the affected versions or disabling the vulnerable functionality may reduce risk. No vendor advisory states that no action is required or that the issue is mitigated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-01-08T19:04:26.364Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d026ec0a160ebd92593008
Added to database: 4/3/2026, 8:45:32 PM
Last enriched: 4/11/2026, 9:26:58 AM
Last updated: 5/20/2026, 8:51:38 PM
Views: 62
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.