CVE-2026-13508
MEDIUM
5.5
CVSS 3.1
Description
A flaw has been found in khoj-ai khoj up to 2.0.0-beta.28. This impacts an unknown function of the file src/khoj/routers/api_chat.py of the component Conversation Sharing Handler. This manipulation of the argument conversation.agent causes incorrect authorization. Remote exploitation of the attack is possible. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.
Metadata
Severity & Metrics
5.5
MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| khoj-ai | khoj | — | 2.0.0-beta.0, 2.0.0-beta.1, 2.0.0-beta.2, 2.0.0-beta.3 … |
Weakness (CWE)
CVSS scores (4)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 6.5 | N/D | 2.0 | cna | AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR |
| 5.5 | MEDIUM | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R |
| 5.5 | MEDIUM | 3.0 | cna | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R |
| 5.1 | MEDIUM | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P |
References (7)
- VDB-374516 | khoj-ai khoj Conversation Sharing api_chat.py authorization https://vuldb.com/vuln/374516
- VDB-374516 | CTI Indicators (IOB, IOC, IOA) https://vuldb.com/vuln/374516/cti
- CVE-2026-13508 | CVE Analysis and Report https://vuldb.com/cve/CVE-2026-13508
- Submit #838812 | Khoj AI Khoj Source commit e8631261400e0a04c5063e91e498b549976ffc53; affected released versions are unknown. CWE-863: Incorrect Authorization https://vuldb.com/submit/838812
- https://github.com/khoj-ai/khoj/issues/1327
- https://github.com/khoj-ai/khoj/pull/1328
- https://github.com/khoj-ai/khoj/