PatchSiren cyber security CVE debrief
CVE-2025-71388 stoatchat CVE debrief
CVE-2025-71388 is a high-severity vulnerability in stoatchat (delta/Revolt) versions from 20241213-1 before 20250210-1. The issue allows users with only ViewChannel (read) permission on a channel to fetch that channel's webhooks, including their tokens. Using a retrieved token, an attacker can send arbitrary messages to the channel, bypassing channel permissions and impersonating a bot or webhook. The vulnerability was fixed in version 20250210-1 (0.8.2). This vulnerability has significant operational impact, as it allows unauthorized access to channels and potential impersonation of bots or webhooks.
- Vendor
- stoatchat
- Product
- Unknown
- CVSS
- HIGH 7.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Users and administrators of stoatchat (delta/Revolt) versions from 20241213-1 before 20250210-1 should be aware of this vulnerability and take immediate action to update to version 20250210-1 (0.8.2) or later. Additionally, users with ViewChannel permission on channels should be cautious of potential exploitation and review channel permissions to prevent unauthorized access.
Technical summary
The vulnerability exists in the webhook fetch endpoint, which incorrectly checks for ViewChannel permission instead of ManageWebhooks permission. This allows users with read-only access to channels to retrieve webhook tokens, which can be used to send arbitrary messages to the channel, bypassing channel permissions. The vulnerability was introduced due to a flawed permission check in the webhook fetch endpoint, allowing unauthorized access to webhook tokens.
Defensive priority
High
Recommended defensive actions
- Update stoatchat (delta/Revolt) to version 20250210-1 (0.8.2) or later
- Restrict ViewChannel permission to prevent exploitation
- Monitor channel activity for suspicious messages
- Rotate webhook tokens for affected channels
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-16T13:16:24.193Z and has not been modified since then. The NVD entry is currently Deferred. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The vulnerability exists in stoatchat (delta/Revolt) versions from 20241213-1 before 20250210-1, and users should be cautious of potential exploitation.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T13:16:24.193Z and has not been modified since then. The NVD entry is currently Deferred.