CVE-2026-13591

MEDIUM

DeepMyst Mysti Contact Tracking ChannelBridge.ts _isTrackedConversation improper authorization

Title source: cna
STIX 2.1

Description

A weakness has been identified in DeepMyst Mysti 0.4.0. Affected is the function _isTrackedConversation of the file src/managers/ChannelBridge.ts of the component Contact Tracking. This manipulation of the argument _channelType causes improper authorization. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The exploit has been made available to the public and could be used for attacks. Patch name: 9b4aff0f106db424aa45a35aa89dd0b8f2eb9a48. It is suggested to install a patch to address this issue.

References (8)

Core 8
Core References
Vdb Entry, Technical Description vdb-entry technical-description
VDB-374594 | DeepMyst Mysti Contact Tracking ChannelBridge.ts _isTrackedConversation improper authorization
https://vuldb.com/vuln/374594
Signature, Permissions Required signature permissions-required
VDB-374594 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/374594/cti
Third Party Advisory third-party-advisory
CVE-2026-13591 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-13591
Third Party Advisory third-party-advisory
Submit #844480 | DeepMyst Mysti 0.4.0 Authorization Bypass / Identity Spoofing
https://vuldb.com/submit/844480
Exploit exploit issue-tracking
https://github.com/DeepMyst/Mysti/issues/42
Patch issue-tracking patch
https://github.com/DeepMyst/Mysti/pull/43

Scores

CVSS v3 5.0
EPSS 0.0020
EPSS Percentile 9.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-266 CWE-285
Status published
Products (1)
DeepMyst/Mysti 0.4.0
Published Jun 29, 2026
Tracked Since Jun 29, 2026