CVE-2025-71388 in stoatchat
Summary
by MITRE • 07/16/2026
stoatchat (delta/Revolt) versions from 20241213-1 before 20250210-1 allow users with only ViewChannel (read) permission on a channel to fetch that channel's webhooks, including their tokens, because the webhook fetch endpoint checked for ViewChannel instead of ManageWebhooks. Using a retrieved token, an attacker can send arbitrary messages to the channel, bypassing channel permissions and impersonating a bot or webhook. Fixed in 20250210-1 (0.8.2).
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/16/2026
This vulnerability exists within stoatchat delta/Revolt application versions released between December 13, 2024 and February 10, 2025, specifically affecting the webhook access control mechanism. The flaw represents a privilege escalation issue where users possessing only ViewChannel permission can retrieve webhooks from channels they should not be able to manage, directly violating the principle of least privilege in security design. The vulnerability stems from improper permission validation within the webhook fetch endpoint, which incorrectly verifies ViewChannel permissions instead of requiring the more restrictive ManageWebhooks permission. This misconfiguration creates a critical access control weakness that allows unauthorized users to bypass normal channel security boundaries and obtain sensitive authentication tokens associated with webhooks.
The technical implementation of this vulnerability involves the application's failure to properly validate user permissions when accessing webhook resources, creating a path for privilege escalation through indirect means. The affected version range demonstrates that this was a recently introduced flaw that remained unpatched for approximately five weeks, indicating a potential gap in security testing or permission validation review processes. The vulnerability aligns with CWE-284 (Improper Access Control) and specifically manifests as an authorization bypass where the system fails to enforce proper access controls on webhook resources despite the user's limited channel permissions.
From an operational impact perspective, this vulnerability enables attackers to impersonate legitimate bots or webhooks within targeted channels by utilizing retrieved webhook tokens. The consequences extend beyond simple message spoofing, as these tokens can be used to send arbitrary messages that appear to originate from trusted sources within the application. This capability allows for social engineering attacks, information disclosure through crafted messages, and potential escalation to more severe security incidents depending on the channel's sensitivity and the attacker's objectives. The vulnerability effectively neutralizes channel-level access controls for webhook-related activities, creating a persistent security risk.
The mitigation for this vulnerability requires immediate patching of affected systems to version 20250210-1 (0.8.2) which properly enforces ManageWebhooks permissions for webhook retrieval operations. Organizations should also implement monitoring for unauthorized webhook access attempts and conduct thorough permission reviews across all application components to identify similar authorization bypass opportunities. Security teams should validate that the fix correctly implements proper permission checking and that no other endpoints exhibit similar flaws in their access control mechanisms, aligning with ATT&CK technique T1078.004 (Valid Accounts: Cloud Accounts) and T1566.002 (Phishing: Spearphishing Attachment) where unauthorized webhook access could facilitate additional attack vectors through message-based social engineering or credential compromise attempts.