CVE-2026-23842

Name of the Vulnerable Software and Affected Versions ChatterBot versions up to 1.2.10 ChatterBot version 1.2.11

Description ChatterBot, a machine learning conversational dialog engine, is susceptible to a denial-of-service condition. This occurs due to improper management of database sessions and connection pools. Concurrent calls to the get response() method can deplete the SQLAlchemy connection pool, leading to service unavailability and requiring a manual restart for recovery. The issue stems from the get response() method lacking concurrency limits, rate limiting, or explicit session lifecycle controls. Rapid consumption of database connections without timely release exhausts the SQLAlchemy QueuePool, causing requests to block and ultimately fail with a TimeoutError. This can be triggered without authentication in deployments where ChatterBot is exposed as a chatbot service.

Recommendations ChatterBot versions up to 1.2.10 should be updated to version 1.2.11.