Intel

AIKIDO-2026-36354

@line/bot-sdk is vulnerable to URL-Based Access Control Bypass

URL-Based Access Control Bypass Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 29, 2026

45

Medium Risk

This Affects:

JS@line/bot-sdk
8.0.0 - 11.0.0
Fixed in 11.0.1
Are you affected? Scan for Free

TL;DR

The generated API clients build request paths by substituting path parameters into URL templates with raw string replacement and no encoding. When an application passes attacker-controlled values such as a userId into these path parameters, input containing ../ or unencoded slashes can escape the intended route and resolve to a different LINE Messaging API endpoint while still carrying the configured bot channel access token. This route confusion lets requests reach unintended endpoints and expose read-only bot and channel metadata. The fix adds a buildPath helper that percent-encodes path parameters and rejects dot and dot-dot path segments.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application passes untrusted input as path parameters to the SDK client methods.

Background info

@line/bot-sdk is vulnerable to URL-Based Access Control Bypass in versions 8.0.0 - 11.0.0.

How to fix this

Upgrade the @line/bot-sdk library to the patch version.