CVE-2026-13508

Summary

A flaw has been found in khoj-ai khoj up to 2.0.0-beta.28. This impacts an unknown function of the file src/khoj/routers/api_chat.py of the component Conversation Sharing Handler. This manipulation of the argument conversation.agent causes incorrect authorization. Remote exploitation of the attack is possible. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.

Affected Software

VendorProductVersion RangeStatus
khoj-aikhoj2.0.0-beta.0affected
khoj-aikhoj2.0.0-beta.1affected
khoj-aikhoj2.0.0-beta.2affected
khoj-aikhoj2.0.0-beta.3affected
khoj-aikhoj2.0.0-beta.4affected
khoj-aikhoj2.0.0-beta.5affected
khoj-aikhoj2.0.0-beta.6affected
khoj-aikhoj2.0.0-beta.7affected
khoj-aikhoj2.0.0-beta.8affected
khoj-aikhoj2.0.0-beta.9affected
khoj-aikhoj2.0.0-beta.10affected
khoj-aikhoj2.0.0-beta.11affected
khoj-aikhoj2.0.0-beta.12affected
khoj-aikhoj2.0.0-beta.13affected
khoj-aikhoj2.0.0-beta.14affected
khoj-aikhoj2.0.0-beta.15affected
khoj-aikhoj2.0.0-beta.16affected
khoj-aikhoj2.0.0-beta.17affected
khoj-aikhoj2.0.0-beta.18affected
khoj-aikhoj2.0.0-beta.19affected
khoj-aikhoj2.0.0-beta.20affected
khoj-aikhoj2.0.0-beta.21affected
khoj-aikhoj2.0.0-beta.22affected
khoj-aikhoj2.0.0-beta.23affected
khoj-aikhoj2.0.0-beta.24affected
khoj-aikhoj2.0.0-beta.25affected
khoj-aikhoj2.0.0-beta.26affected
khoj-aikhoj2.0.0-beta.27affected
khoj-aikhoj2.0.0-beta.28affected

Weaknesses

  • CWE-863: Incorrect Authorization
  • CWE-285: Improper Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References