CVE-2025-69207
Published: 02 February 2026
Summary
CVE-2025-69207 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Khoj Khoj. Its CVSS base score is 5.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-69207 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting Khoj, a self-hostable artificial intelligence application. In versions prior to 2.0.0-beta.23, the Notion OAuth callback endpoint fails to verify that the provided user UUID matches the initiator of the OAuth flow. This allows attackers to manipulate the state parameter and hijack any user's Notion integration. The issue carries a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L), indicating medium severity with network accessibility, low attack complexity, no privileges required, user interaction needed, and limited impact to integrity and availability.
An attacker can exploit this vulnerability by obtaining a victim's user UUID, which may leak through shared conversations containing AI-generated images, and then crafting a malicious OAuth callback. With network access and user interaction—such as the victim clicking a manipulated link—the attacker can replace the victim's Notion configuration with their own. This results in data poisoning of the victim's Khoj search index and unauthorized access to it, enabling the attacker to control the integration and potentially disrupt or manipulate the victim's AI-driven search functionalities.
The vulnerability is fixed in Khoj version 2.0.0-beta.23, as detailed in the project's security advisory (GHSA-6whj-7qmg-86qj), release notes, and the patching commit (1b7ccd141d47f365edeccc57d7316cb0913d748b). Security practitioners should urge users to upgrade to the patched version and review shared content for UUID leaks, particularly in AI-generated outputs, to mitigate exposure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206746
Vulnerability details
Khoj is a self-hostable artificial intelligence app. Prior to 2.0.0-beta.23, an IDOR in the Notion OAuth callback allows an attacker to hijack any user's Notion integration by manipulating the state parameter. The callback endpoint accepts any user UUID without verifying…
more
the OAuth flow was initiated by that user, allowing attackers to replace victims' Notion configurations with their own, resulting in data poisoning and unauthorized access to the victim's Khoj search index. This attack requires knowing the user's UUID which can be leaked through shared conversations where an AI generated image is present. This vulnerability is fixed in 2.0.0-beta.23.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, artificial intelligence, data poisoning
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR in public OAuth endpoint directly enables exploitation of a web app (T1190) to hijack and manipulate a victim's external integration/account linkage (T1098).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces that the OAuth callback only completes for the user who initiated the flow, blocking arbitrary UUID acceptance in the state parameter.
Requires validation of the supplied UUID and state value against the original OAuth initiator, preventing the IDOR that allows hijacking Notion integrations.
Ensures session authenticity by binding and verifying the OAuth state parameter, mitigating the ability to inject a forged callback for another user.