CVE-2026-4399

HighRCE

Published: 31 March 2026

Published

31 March 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Score 0.0006 18.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4399 is a high-severity Command Injection (CWE-77) vulnerability in 1Millionbot Millie Chatbot. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as APIs and Models; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of user prompts to detect and block Boolean injection techniques that evade the chatbot's chat restrictions.

SI-15 Information Output Filtering good match

prevent

SI-15 filters chatbot outputs to prevent disclosure of prohibited information or execution of out-of-context responses triggered by injections.

CM-7 Least Functionality partial match

prevent

CM-7 restricts the chatbot to least functionality essential for intended operations, limiting the scope of abuse from injected out-of-context tasks using service resources or API keys.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.009 Cloud API Execution

Adversaries may abuse cloud APIs to execute malicious commands.

attack.mitre.org →

Why these techniques?

The vulnerability in a public-facing chatbot allows remote unauthenticated exploitation over the network, directly enabling T1190. Prompt injection facilitates execution of injected instructions that leverage cloud APIs and resources (e.g., OpenAI API key), mapping to T1059.009.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Prompt injection vulnerability in 1millionbot Millie chatbot that occurs when a user manages to evade chat restrictions using Boolean prompt injection techniques (formulating a question in such a way that, upon receiving an affirmative response ('true'), the model executes the…

injected instruction), causing it to return prohibited information and information outside its intended context. Successful exploitation of this vulnerability could allow a malicious remote attacker to abuse the service for purposes other than those originally intended, or even execute out-of-context tasks using 1millionbot's resources and/or OpenAI's API key. This allows the attacker to evade the containment mechanisms implemented during LLM model training and obtain responses or chat behaviors that were originally restricted.

Deeper analysisAI

CVE-2026-4399 is a prompt injection vulnerability affecting the 1millionbot Millie chatbot. It enables users to evade chat restrictions through Boolean prompt injection techniques, where a specially formulated question triggers the model to execute an injected instruction upon receiving an affirmative 'true' response. This flaw causes the chatbot to return prohibited information or responses outside its intended context, bypassing containment mechanisms implemented during LLM model training. The vulnerability is classified under CWE-77 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and was published on 2026-03-31.

A malicious remote attacker can exploit this vulnerability without privileges or user interaction over the network with low complexity. Successful exploitation allows the attacker to abuse the service for unintended purposes, execute out-of-context tasks, and leverage 1millionbot's resources or even OpenAI's API key, thereby evading original restrictions on chat behaviors.

The INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-1millionbot-millie-chatbot documents this issue among multiple vulnerabilities in the 1millionbot Millie chatbot.

This vulnerability highlights prompt injection risks in LLM-based chatbots, demonstrating how attackers can manipulate model outputs to perform unauthorized actions using provider resources.

Details

CWE(s): CWE-77

Affected Products

1millionbot

millie chatbot

≤ 3.6.0

AI Security AnalysisAI

AI Category: APIs and Models
Risk Domain: LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Matched keywords: prompt injection, prompt injection, openai, llm

CVEs Like This One

CVE-2026-26133Shared CWE-77

CVE-2026-26015Shared CWE-77

CVE-2025-49834Shared CWE-77

CVE-2025-49835Shared CWE-77

CVE-2025-49833Shared CWE-77

CVE-2025-49836Shared CWE-77

CVE-2025-24285Shared CWE-77

CVE-2025-63406Shared CWE-77

CVE-2025-43953Shared CWE-77

CVE-2025-64093Shared CWE-77

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-1millionbot-millie-chatbot
Third Party Advisory · cve-coordination@incibe.es