PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-71388 stoatchat CVE debrief

CVE-2025-71388 is a high-severity vulnerability in stoatchat (delta/Revolt) versions from 20241213-1 before 20250210-1. The issue allows users with only ViewChannel (read) permission on a channel to fetch that channel's webhooks, including their tokens. Using a retrieved token, an attacker can send arbitrary messages to the channel, bypassing channel permissions and impersonating a bot or webhook. The vulnerability was fixed in version 20250210-1 (0.8.2). This vulnerability has significant operational impact, as it allows unauthorized access to channels and potential impersonation of bots or webhooks.

Vendor
stoatchat
Product
Unknown
CVSS
HIGH 7.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Users and administrators of stoatchat (delta/Revolt) versions from 20241213-1 before 20250210-1 should be aware of this vulnerability and take immediate action to update to version 20250210-1 (0.8.2) or later. Additionally, users with ViewChannel permission on channels should be cautious of potential exploitation and review channel permissions to prevent unauthorized access.

Technical summary

The vulnerability exists in the webhook fetch endpoint, which incorrectly checks for ViewChannel permission instead of ManageWebhooks permission. This allows users with read-only access to channels to retrieve webhook tokens, which can be used to send arbitrary messages to the channel, bypassing channel permissions. The vulnerability was introduced due to a flawed permission check in the webhook fetch endpoint, allowing unauthorized access to webhook tokens.

Defensive priority

High

Recommended defensive actions

  • Update stoatchat (delta/Revolt) to version 20250210-1 (0.8.2) or later
  • Restrict ViewChannel permission to prevent exploitation
  • Monitor channel activity for suspicious messages
  • Rotate webhook tokens for affected channels
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-16T13:16:24.193Z and has not been modified since then. The NVD entry is currently Deferred. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The vulnerability exists in stoatchat (delta/Revolt) versions from 20241213-1 before 20250210-1, and users should be cautious of potential exploitation.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T13:16:24.193Z and has not been modified since then. The NVD entry is currently Deferred.