Contact usRequest a demo

Unblu security bulletins

Unblu takes security very seriously. If a vulnerability is brought to our attention, we aim to fix it as soon as possible.

Known vulnerabilities are published as security bulletins on this page. However, we actively notify our customers before we publish vulnerabilities. This allows them to take appropriate steps to protect their own customers.

List of security bulletins

Reporting vulnerabilities

If you discover a vulnerability or any other security issue in any Unblu products, please report it to security@unblu.com. You can use the PGP key below to encrypt your email.

Unblu runs a bug bounty program on YesWeHack. If you’re interested in taking part, request an invitation from security@unblu.com. Make sure to mention your YesWeHack username in your message.

Listing 1. PGP key for reporting problems to security@unblu.com 
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBGfz0rgBDADSjfl7UPwT2N4cuptdW1uV4Lg7z+G5kJAM9K8qUHNnOyAgmGv7
6YkvzqKQta+JLRC/0NVdM0/2sMEl6eeooxPb8go+MTdrEpoEGtXhiitroqOKyWXz
pi1I2oVWcnf8JHN4VzkLKV7MlXqBxFajzRIdW10JpTkNJckG99C0XG7bhP6gKG++
WQ1ypQYD7lE7obRbXJQgjlNPaRn2bS5y6byWL9ZgKR7P6IDjL6jLPEofXDpXs7Wd
E12+wN/Ru5EPybxlB5Rb4H8gk8qnZX0COpyZKsZAig6mc1K+O7xa2eDHpkQ7//P8
dVN8UFsLzPhYG6rfJ2aNH6q166CTNxx8O9RoulK8k404RZEYEdrCgTXKjqwsq9Ue
Qz5YEIQP0ajVoJ6bLiMD6okMmPV0huv+fRQ1TryCeqkkubdbmv9dtmAgXZGC92F2
BEyLn2ksRKYMoYUYXDHtfGNvklbtqVr4E9UcsP+d76iJPA2j0EwgO6p9kL56QWT5
Kgc8GVf4Ci0Y54cAEQEAAbQjVW5ibHUgU2VjdXJpdHkgPHNlY3VyaXR5QHVuYmx1
LmNvbT6JAdQEEwEKAD4WIQQ+thE6qJ1o0pMdz2f236cjI7OsMwUCZ/PSuAIbAwUJ
A7U4AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRD236cjI7OsMxueC/94VBv3
IkM+uKjtrsL6tRbmCXuSv2M14N3saMy1KiifXQ60XvJpy6Jdgj8sYouDKXQIlbCv
jcUXe8iHbUT95Rwe549UVBcExTmkFzrXtHmH3MUU8L751kHN2S/XXcgxnxd5jWPD
lKs7295Hpd12xHNUXXCgLbgVYcFFpLMYzBQDoOXb8l50gtaQFIFf47BbSs7RdPkr
8XhBF1RRF9p05DqBeUzlvmbmtXdpG0kpIT20NmwUM5NOhDZdH62kq6MYES43X3HS
iS/9/AEXmegYRwQm4ZXpCmkR/GYD1EStn77EAFl3pK6wyHxMyR9o2JiqbYyBZTbK
eq+R/akKWnrxRRwb0rVTox5+nkHEPAiTrZ80qlR437mWx+aQycTOp70gg9pOKC4T
Uu+ZD0wx29D8j3+bABjz98yb7Q0GBfqAqtSRCH02Di4yyy6/+2nTD4rIuoJutQUP
D377sMm8OTzDqu9htYxX37AAF0kT1EXXeyrFiT94jzBz9tSAzyqoqqeLcr+5AY0E
Z/PSuAEMALgf2klcYWqlatN99cQEuioh09d67XQiUItKHDln8xvZt0bVmV/bSQg+
S1SgFlr75oX0W8WvSsD0UZOGWKOaGpsO0zev8Ibtn/esKaLQJmmaiLhmo0qv9V0I
mpV8NK7azHkSUFfS5emIYn0WZYai/NKIvkzjTD+YB616upL6hkkLVUnDSfXWHGCC
LrX9tQKtcLjPofiq1k9qJOvXZMfuFLohVBvAsVBpP57eCmBvAQX6WbaD9sKnkcwJ
b5GU4JpVAJzlRY/XNh8H0DZP7SD4Pwc8WPATdFY6LpDHGh41VYYchunX3b27G8IQ
l2+/B7sCXWfRx9qOTSTRpwW9orsmFNKMPpfqtXrrUwenJFWuOewYAekjxNQQiYM7
6qm5yMThZPqaIMBPy2gnG5Vxbwlv73DJWUcl+e1S60g236rdBefyiCumJNs9e2Hf
+170hre6iFcH8teU2FmMLtGj3OEpFlxjPIPvc+QxkgYo/TkMMgRypqXAKtgay1rj
2gWD93mqIwARAQABiQG8BBgBCgAmFiEEPrYROqidaNKTHc9n9t+nIyOzrDMFAmfz
0rgCGwwFCQO1OAAACgkQ9t+nIyOzrDMkNwv/ccA89Kf6qO/Ki/BgzFTDgwX+5Im+
/7HElrLoG4deSn/KKeQyAAh/TFpE4d8UQHfgbAfxlAyPyl66PhtxGZL+XBCBtZdF
HT1lEayuFx4DqDYU36jcRUq0oLpuMZSolgnm5sW8JLCyijM6Xu225cc3j0UEzRr0
rl5oZneSHwVYl5a20X6mr6Grwzjh/4OCwdMMecX3nr1AlWAQXrEATsWnK6VcxstU
w0yAek7CHzmTM6E3VWtWypL8niML+HtAZboymuSQbQEG2CuP8qP69GfdKGwim0PH
F4+40ZIJXyLoXPp1sF4WNXSWoRWlkQ6EbcLdOrgHYxyMVwHvx9DY0OV99IuJSD4j
UOyIzy2dS3i5Lg/RaU0b4S5Iiyr4Pr0Y1RzwkXKaLE2o/+rqG9/xC8jTs3D2rzRe
9lnThUphF/dfs5UtTi2IcPtyon04t9aB0G6UhBfQdOQu8xS66LT2BLdam+jel+jS
RcxH52nPKNzsZaJOecWnG+BwMhmxYGe6jebw
=Eogv
-----END PGP PUBLIC KEY BLOCK-----

Security bulletins

UBL-2025-002: File upload functionality possible even when disabled

Summary

User can upload files to a conversation even if the file upload functionality is disabled.

Affected components and versions

  • Unblu Spark (v8): 8.12.1 and earlier

  • Unblu Spark (v7): 7.53.4 and earlier

Fix versions

Details

The file upload functionality can be configured in such a way that it’s only enabled or disabled for specific use cases.

If the functionality is disabled in at least one use case, Unblu nevertheless accepts and completes API requests to upload files.

When the user uploads a file, it’s processed like any other uploaded file: it must still pass any file interceptors in place, and only allowed file types are accepted.

UBL-2025-001: Replace uploaded files knowing the file upload ID

Summary

Participants of a conversation can replace a file in the conversation without changing the file name, provided they know the file upload ID.

Affected components and versions

  • Unblu Spark (v8): 8.12.1 and earlier

Fix versions

Details

Every uploaded file in Unblu is assigned a randomly generated Universally Unique ID (UUID).

If a participant in a conversation gets access to a file’s UUID, they can use this information to replace the file without changing the file’s name, the file’s details, or the name of the user who uploaded the file.

The participant needn’t be a participant in the conversation the file was uploaded to. They can be a participant in any conversation.

When the participant replaces the uploaded file, the new file is processed like any other uploaded file: it must still pass any file interceptors in place, and only allowed file types are accepted.