Cyber Resilience

CVE-2025-69207

MediumPublic PoC

Published: 02 February 2026

Published
02 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
EPSS Score 0.0001 2.0th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-69207 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Khoj Khoj. Its CVSS base score is 5.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-69207 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting Khoj, a self-hostable artificial intelligence application. In versions prior to 2.0.0-beta.23, the Notion OAuth callback endpoint fails to verify that the provided user UUID matches the initiator of the OAuth flow. This allows attackers to manipulate the state parameter and hijack any user's Notion integration. The issue carries a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L), indicating medium severity with network accessibility, low attack complexity, no privileges required, user interaction needed, and limited impact to integrity and availability.

An attacker can exploit this vulnerability by obtaining a victim's user UUID, which may leak through shared conversations containing AI-generated images, and then crafting a malicious OAuth callback. With network access and user interaction—such as the victim clicking a manipulated link—the attacker can replace the victim's Notion configuration with their own. This results in data poisoning of the victim's Khoj search index and unauthorized access to it, enabling the attacker to control the integration and potentially disrupt or manipulate the victim's AI-driven search functionalities.

The vulnerability is fixed in Khoj version 2.0.0-beta.23, as detailed in the project's security advisory (GHSA-6whj-7qmg-86qj), release notes, and the patching commit (1b7ccd141d47f365edeccc57d7316cb0913d748b). Security practitioners should urge users to upgrade to the patched version and review shared content for UUID leaks, particularly in AI-generated outputs, to mitigate exposure.

EU & UK References

Vulnerability details

Khoj is a self-hostable artificial intelligence app. Prior to 2.0.0-beta.23, an IDOR in the Notion OAuth callback allows an attacker to hijack any user's Notion integration by manipulating the state parameter. The callback endpoint accepts any user UUID without verifying…

more

the OAuth flow was initiated by that user, allowing attackers to replace victims' Notion configurations with their own, resulting in data poisoning and unauthorized access to the victim's Khoj search index. This attack requires knowing the user's UUID which can be leaked through shared conversations where an AI generated image is present. This vulnerability is fixed in 2.0.0-beta.23.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, artificial intelligence, data poisoning

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

IDOR in public OAuth endpoint directly enables exploitation of a web app (T1190) to hijack and manipulate a victim's external integration/account linkage (T1098).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-13615Shared CWE-639
CVE-2025-10742Shared CWE-639
CVE-2024-10215Shared CWE-639
CVE-2025-15521Shared CWE-639
CVE-2025-9114Shared CWE-639
CVE-2026-45398Shared CWE-639
CVE-2026-41947Shared CWE-639
CVE-2026-5652Shared CWE-639
CVE-2020-37008Shared CWE-639
CVE-2026-28788Shared CWE-639

Affected Assets

khoj
khoj
2.0.0 · ≤ 2.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces that the OAuth callback only completes for the user who initiated the flow, blocking arbitrary UUID acceptance in the state parameter.

prevent

Requires validation of the supplied UUID and state value against the original OAuth initiator, preventing the IDOR that allows hijacking Notion integrations.

prevent

Ensures session authenticity by binding and verifying the OAuth state parameter, mitigating the ability to inject a forged callback for another user.

References