PatchSiren cyber security CVE debrief
CVE-2026-47225 typesense CVE debrief
A cache isolation issue was found in Typesense, a fast, typo-tolerant search engine. This issue affects search requests that use both server-side search result caching and Scoped Search API Keys. Under specific request ordering, cached search results could be reused across requests with different Scoped Search API Key constraints. This could result in a request receiving search results that should have been restricted by its Scoped Search API Key.
- Vendor
- typesense
- Product
- Unknown
- CVSS
- MEDIUM 6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Typesense who use server-side search result caching and Scoped Search API Keys with embedded filters to restrict access to search results within a collection.
Technical summary
Prior to versions 29.1 and 30.2, there is a cache isolation issue affecting search requests that use both server-side search result caching and Scoped Search API Keys. Under specific request ordering, cached search results could be reused across requests with different Scoped Search API Key constraints.
Defensive priority
MEDIUM
Recommended defensive actions
- Update Typesense to version 29.1 or 30.2 to patch the vulnerability.
- Review and adjust Scoped Search API Key constraints to ensure proper access control.
Evidence notes
This vulnerability may result in unintended disclosure of search results across scoped authorization contexts.
Official resources
-
CVE-2026-47225 CVE record
CVE.org
-
CVE-2026-47225 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-47225 was published on 2026-06-12T18:16:34.783Z.