PT-2026-38660 · Onyx · Onyx
Abdrrahimdahmani
·
Published
2026-05-08
·
Updated
2026-05-12
·
CVE-2026-42276
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
Onyx versions prior to 3.0.9
Onyx versions prior to 3.1.6
Onyx versions prior to 3.2.6
Description
An issue in the AI platform allows an authenticated user to terminate another user's active chat session. The endpoint "/chat/stop-chat-session/{chat session id}" verifies authentication but fails to validate if the session belongs to the requester. An attacker with a chat session UUID can stop another user's Large Language Model (LLM) generation mid-stream.
Recommendations
Update to version 3.0.9
Update to version 3.1.6
Update to version 3.2.6
Exploit
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Onyx