| Titel | Khoj AI Khoj Source commit e8631261400e0a04c5063e91e498b549976ffc53; affected released versions are unknown. CWE-863: Incorrect Authorization |
|---|
| Beschreibung | A vulnerability was found in Khoj at source commit e8631261400e0a04c5063e91e498b549976ffc53 and classified as Medium severity. Affected is the public conversation sharing and fork workflow for chat conversations associated with private agents.
When a user shares a conversation, the implementation copies the source conversation's Agent foreign key into the PublicConversation object. When another authenticated user forks that public conversation, the implementation copies the same Agent foreign key into the recipient's new private Conversation. Later chat execution accepts conversation.agent as the active agent without re-authorizing the agent against the current user.
The inherited private agent is used by the chat path for behavior and configuration, including persona/system prompt construction, input/output tool routing, and in some cases agent chat-model selection. This lets a public conversation slug/fork carry a security-sensitive private agent reference across user boundaries.
The normal document search path has an access-control guard: execute_search() calls AgentAdapters.ais_agent_accessible(agent, user), and private agents owned by another user are rejected. Therefore direct private knowledge-base retrieval was not confirmed in this source snapshot. The confirmed issue is unauthorized retention and use of private agent configuration and behavior.
Authentication required: yes. User interaction required: yes, the source user must share a public conversation or otherwise expose the public conversation slug.
Technical Details
- Affected file/function: src/khoj/database/adapters/__init__.py / ConversationAdapters.make_public_conversation_copy
- Affected file/function: src/khoj/database/adapters/__init__.py / ConversationAdapters.create_conversation_from_public_conversation
- Affected file/function: src/khoj/routers/api_chat.py / fork_public_conversation and event_generator
- Affected file/function: src/khoj/routers/helpers.py / aget_data_sources_and_output_format and build_conversation_context
- Vulnerable parameter: public_conversation_slug and the forked conversation_id
- Attack vector: Network
- Privileges required: Low
- Trigger condition: an authenticated recipient forks a shared conversation originally associated with another user's private agent and continues the forked chat.
Impact
- Confidentiality: Low
- Integrity: Low
- Availability: None
CVSS v3.1
Score: 5.4 (Medium)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Timeline
- Discovered: 2026-05-27
- Vendor notified: [unknown; reporter states the author was notified before this report]
- Patch released: [unknown]
- Public disclosure: [unknown]
Countermeasure
Do not copy private or protected Agent references into public conversations or forked conversations unless the recipient is authorized for that agent. Re-authorize conversation.agent before using it for chat execution, tool routing, memory scoping, chat-model selection, or retrieval. If the current user cannot access the agent, replace it with the default public agent or reject the request. |
|---|
| Quelle | ⚠️ https://github.com/khoj-ai/khoj/issues/1327 |
|---|
| Benutzer | Dem000000 (UID 98564) |
|---|
| Einreichung | 27.05.2026 14:19 (vor 1 Monat) |
|---|
| Moderieren | 28.06.2026 08:21 (1 month later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 374516 [khoj-ai khoj bis 2.0.0-beta.28 Conversation Sharing api_chat.py conversation.agent erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|