๐Ÿ” CVE Alert

CVE-2025-71388

UNKNOWN 0.0

stoatchat 20241213-1 Webhook Token Disclosure via Read Permissions

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

stoatchat (delta/Revolt) versions from 20241213-1 before 20250210-1 allow users with only ViewChannel (read) permission on a channel to fetch that channel's webhooks, including their tokens, because the webhook fetch endpoint checked for ViewChannel instead of ManageWebhooks. Using a retrieved token, an attacker can send arbitrary messages to the channel, bypassing channel permissions and impersonating a bot or webhook. Fixed in 20250210-1 (0.8.2).

CWE CWE-639
Vendor stoatchat
Product stoatchat
Published Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for stoatchat stoatchat

Be the first to know when new unknown vulnerabilities affecting stoatchat stoatchat are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

stoatchat / stoatchat
20241213-1 < 20250210-1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/stoatchat/stoatchat/security/advisories/GHSA-8684-rvfj-v3jq github.com: https://github.com/stoatchat/stoatchat/commit/e3723d647effb81ea3d3919d848faf64dbe89829 vulncheck.com: https://www.vulncheck.com/advisories/stoatchat-20241213-1-webhook-token-disclosure-via-read-permissions