CVE-2026-58198: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition in gunthercox ChatterBot
CVE-2026-58198 is a time-of-check to time-of-use (TOCTOU) race condition vulnerability in gunthercox ChatterBot prior to version 1.2.14. The issue occurs in the UbuntuCorpusTrainer.extract() method, which uses a predictable home-rooted output directory with a check-then-create pattern followed by tar extraction. A local attacker who pre-creates a symbolic link at the predictable path can cause archive contents to be written through the symlink to an attacker-chosen directory. This vulnerability is fixed in version 1.2.14.
AI Analysis
Technical Summary
ChatterBot versions before 1.2.14 contain a TOCTOU race condition in the UbuntuCorpusTrainer.extract() function. The function uses a predictable directory path (~/ubuntu_data/ubuntu_dialogs) and performs a check-then-create operation before extracting a tar archive to that path. Because the path is predictable and the check-then-create is not atomic, a local attacker can pre-plant a symbolic link at that location. When the tar archive is extracted, files are written through the symlink to an arbitrary directory controlled by the attacker. This can lead to unauthorized file writes. The vulnerability is addressed in ChatterBot version 1.2.14.
Potential Impact
A local attacker with the ability to create a symlink at the predictable extraction path can cause arbitrary files to be written to locations of their choosing on the filesystem. This can lead to unauthorized file modification or overwriting, potentially impacting confidentiality. The CVSS score is 5.5 (medium severity), reflecting local attack vector, low complexity, low privileges required, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact.
Mitigation Recommendations
Upgrade ChatterBot to version 1.2.14 or later, where this TOCTOU race condition vulnerability is fixed. There is no official patch or temporary fix other than upgrading. Until upgraded, avoid running the vulnerable extract function in environments where local attackers can create symlinks at the predictable extraction path.
CVE-2026-58198: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition in gunthercox ChatterBot
Description
CVE-2026-58198 is a time-of-check to time-of-use (TOCTOU) race condition vulnerability in gunthercox ChatterBot prior to version 1.2.14. The issue occurs in the UbuntuCorpusTrainer.extract() method, which uses a predictable home-rooted output directory with a check-then-create pattern followed by tar extraction. A local attacker who pre-creates a symbolic link at the predictable path can cause archive contents to be written through the symlink to an attacker-chosen directory. This vulnerability is fixed in version 1.2.14.
CVSS v3.1
Score 5.5medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
ChatterBot versions before 1.2.14 contain a TOCTOU race condition in the UbuntuCorpusTrainer.extract() function. The function uses a predictable directory path (~/ubuntu_data/ubuntu_dialogs) and performs a check-then-create operation before extracting a tar archive to that path. Because the path is predictable and the check-then-create is not atomic, a local attacker can pre-plant a symbolic link at that location. When the tar archive is extracted, files are written through the symlink to an arbitrary directory controlled by the attacker. This can lead to unauthorized file writes. The vulnerability is addressed in ChatterBot version 1.2.14.
Potential Impact
A local attacker with the ability to create a symlink at the predictable extraction path can cause arbitrary files to be written to locations of their choosing on the filesystem. This can lead to unauthorized file modification or overwriting, potentially impacting confidentiality. The CVSS score is 5.5 (medium severity), reflecting local attack vector, low complexity, low privileges required, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact.
Mitigation Recommendations
Upgrade ChatterBot to version 1.2.14 or later, where this TOCTOU race condition vulnerability is fixed. There is no official patch or temporary fix other than upgrading. Until upgraded, avoid running the vulnerable extract function in environments where local attackers can create symlinks at the predictable extraction path.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-29T17:09:25.872Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4ffe7a68715ace43fdfbde
Added to database: 07/09/2026, 20:03:06 UTC
Last enriched: 07/09/2026, 20:17:35 UTC
Last updated: 07/09/2026, 20:59:27 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.