CVE-2026-13591

DeepMyst Mysti Contact Tracking ChannelBridge.ts _isTrackedConversation improper authorization

CVSS 2.3 LOWCWE-266 CWE-285

Vexday Risk Score

25Low

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 2.3EPSS —KEV nãoPoC públicaNuclei —Metasploit —Patch referenciado

Lifecycle

29 Jun 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

A weakness has been identified in DeepMyst Mysti 0.4.0. Affected is the function _isTrackedConversation of the file src/managers/ChannelBridge.ts of the component Contact Tracking. This manipulation of the argument _channelType causes improper authorization. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The exploit has been made available to the public and could be used for attacks. Patch name: 9b4aff0f106db424aa45a35aa89dd0b8f2eb9a48. It is suggested to install a patch to address this issue.

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Affected products

DeepMyst · Mysti

public PoCs found — 1

cve_referencegithub.com/DeepMyst/Mysti/issues/42unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/DeepMyst/Mysti/https://github.com/DeepMyst/Mysti/commit/9b4aff0f106db424aa45a35aa89dd0b8f2eb9a48 https://github.com/DeepMyst/Mysti/issues/42 https://github.com/DeepMyst/Mysti/pull/43 https://vuldb.com/cve/CVE-2026-13591 https://vuldb.com/submit/844480 https://vuldb.com/vuln/374594 https://vuldb.com/vuln/374594/cti