CVE-2026-23875

MEDIUM

CrawlChat <0.0.8 - Privilege Escalation

Title source: llm

Description

CrawlChat is an open-source, AI-powered platform that transforms technical documentation into intelligent chatbots. Prior to version 0.0.8, a non-existing permission check for the CrawlChat's Discord bot allows non-manage guild users to put malicious content onto the collection knowledge base. Usually, admin / mods of a Discord guild use the `jigsaw` emoji to save a specific message (chain) onto the collection's knowledge base of CrawlChat. Unfortunately an permission check (for e.g. MANAGE_SERVER; MANAGE_MESSAGES etc.) was not done, allowing normal users of the guild to information to the knowledge base. With targeting specific parts that are commonly asked, users can manipulate the content given out by the bot (on all integrations), to e.g. redirect users to a malicious site, or send information to a malicious user. Version 0.0.8 patches the issue.

References (3)

Core 3

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/crawlchat/crawlchat/security/advisories/GHSA-f484-62p4-6w4p

Patch x_refsource_misc

https://github.com/crawlchat/crawlchat/commit/f90ebb93c6a830f6cf609d683f6425af8434573a

Product, Release Notes x_refsource_misc

https://github.com/crawlchat/crawlchat/releases/tag/v0.0.8

Scores

CVSS v3 5.4

EPSS 0.0020

EPSS Percentile 9.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (1)

crawlchat/crawlchat < 0.0.8

Published Jan 19, 2026

Tracked Since Feb 18, 2026