Common Weakness Enumeration
Show details on NVD website
Show details on NVD website
Show details on NVD website
Back to CWE stats page
CWE-312
Cleartext Storage of Sensitive Information
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
CVE-2026-8596 (GCVE-0-2026-8596)
Vulnerability from cvelistv5 – Published: 2026-05-14 19:35 – Updated: 2026-05-16 03:56
VLAI
EPSS
VEX
Title
Cleartext storage of HMAC signing key in Amazon SageMaker Python SDK ModelBuilder/Serve path
Summary
Cleartext storage of sensitive information in the ModelBuilder/Serve component in Amazon SageMaker Python SDK before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to extract the HMAC signing key from SageMaker API responses and forge valid integrity signatures for specially crafted model artifacts, achieving code execution in inference containers. This issue requires a remote authenticated actor with permissions to call SageMaker describe APIs and S3 write access to the model artifact path.
To remediate this issue, we recommend upgrading to Amazon SageMaker Python SDK v2.257.2 or v3.8.0 and rebuild any models previously created with ModelBuilder using the updated SDK.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-312 - Cleartext storage of sensitive information
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/aws/sagemaker-python-sdk/relea… | patch |
| https://github.com/aws/sagemaker-python-sdk/relea… | patch |
| https://aws.amazon.com/security/security-bulletin… | vendor-advisory |
| https://github.com/aws/sagemaker-python-sdk/secur… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Amazon SageMaker Python SDK | AWS |
Affected:
2.199.0 , ≤ 2.257.1
(custom)
Affected: 3.0.0 , ≤ 3.7.1 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8596",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-15T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T03:56:21.927Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "AWS",
"vendor": "Amazon SageMaker Python SDK",
"versions": [
{
"lessThanOrEqual": "2.257.1",
"status": "affected",
"version": "2.199.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.7.1",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:amazon_sagemaker_python_sdk:aws:*:*:*:*:*:*:*:*",
"versionEndIncluding": "2.257.1",
"versionStartIncluding": "2.199.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:amazon_sagemaker_python_sdk:aws:*:*:*:*:*:*:*:*",
"versionEndIncluding": "3.7.1",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCleartext storage of sensitive information in the ModelBuilder/Serve component in Amazon SageMaker Python SDK before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to extract the HMAC signing key from SageMaker API responses and forge valid integrity signatures for specially crafted model artifacts, achieving code execution in inference containers. This issue requires a remote authenticated actor with permissions to call SageMaker describe APIs and S3 write access to the model artifact path.\u003c/p\u003e\u003cp\u003eTo remediate this issue, we recommend upgrading to Amazon SageMaker Python SDK v2.257.2 or v3.8.0 and rebuild any models previously created with ModelBuilder using the updated SDK.\u003c/p\u003e"
}
],
"value": "Cleartext storage of sensitive information in the ModelBuilder/Serve component in Amazon SageMaker Python SDK before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to extract the HMAC signing key from SageMaker API responses and forge valid integrity signatures for specially crafted model artifacts, achieving code execution in inference containers. This issue requires a remote authenticated actor with permissions to call SageMaker describe APIs and S3 write access to the model artifact path.\n\n\n\nTo remediate this issue, we recommend upgrading to Amazon SageMaker Python SDK v2.257.2 or v3.8.0 and rebuild any models previously created with ModelBuilder using the updated SDK."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 Cleartext storage of sensitive information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T19:51:41.804Z",
"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"shortName": "AMZN"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/aws/sagemaker-python-sdk/releases/tag/v2.257.2"
},
{
"tags": [
"patch"
],
"url": "https://github.com/aws/sagemaker-python-sdk/releases/tag/v3.8.0"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://aws.amazon.com/security/security-bulletins/2026-031-aws/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-7hh5-prp2-mfh5"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cleartext storage of HMAC signing key in Amazon SageMaker Python SDK ModelBuilder/Serve path",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
"assignerShortName": "AMZN",
"cveId": "CVE-2026-8596",
"datePublished": "2026-05-14T19:35:51.421Z",
"dateReserved": "2026-05-14T13:39:22.096Z",
"dateUpdated": "2026-05-16T03:56:21.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8804 (GCVE-0-2026-8804)
Vulnerability from cvelistv5 – Published: 2026-07-03 07:40 – Updated: 2026-07-06 15:21
VLAI
EPSS
VEX
Title
Cleartext Storage of Sensitive Information for Puppet Resource API
Summary
Puppet resource_api (shipped in Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x) does not preserve the sensitive flag on parameters defined via the resource-api, causing values such as passwords to be stored in cleartext in the agent's local transaction state cache. Affected versions of the resource_api module include all versions between 1.5.0 - 1.9.1 and 2.0.0 The issue was fixed in puppet resource_api 1.9.2 and 2.0.1 released with Puppet Core 8.20.0 and PE 2023.8.10 & PE 2025.11.0.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Perforce | Puppet Core |
Affected:
8.11.0 , ≤ 8.19.0
(custom)
Affected: 8.0.0 , ≤ 8.10.0 (custom) Unaffected: 8.20.0 (custom) |
|
| Perforce | Puppet Enterprise |
Affected:
2023.8.0 , ≤ 2023.8.9
(custom)
Affected: 2025.0.0 , ≤ 2025.10.0 (custom) Unaffected: 2023.8.10 (custom) Unaffected: 2025.11.0 (custom) |
Date Public
2026-06-26 19:30
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8804",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T15:21:19.672849Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T15:21:55.981Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"puppet resource_api"
],
"product": "Puppet Core",
"vendor": "Perforce",
"versions": [
{
"lessThanOrEqual": "8.19.0",
"status": "affected",
"version": "8.11.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.10.0",
"status": "affected",
"version": "8.0.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "8.20.0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"modules": [
"puppet resource_api"
],
"product": "Puppet Enterprise",
"vendor": "Perforce",
"versions": [
{
"lessThanOrEqual": "2023.8.9",
"status": "affected",
"version": "2023.8.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2025.10.0",
"status": "affected",
"version": "2025.0.0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2023.8.10",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2025.11.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2026-06-26T19:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Puppet resource_api (shipped in Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x) does not preserve the sensitive flag on parameters defined via the resource-api, causing values such as passwords to be stored in cleartext in the agent\u0027s local transaction state cache. Affected versions of the resource_api module include all versions between 1.5.0 - 1.9.1 and 2.0.0 The issue was fixed in puppet resource_api\u0026nbsp;1.9.2 and 2.0.1 released with Puppet Core 8.20.0 and PE 2023.8.10 \u0026amp; PE 2025.11.0.\u003cbr\u003e"
}
],
"value": "Puppet resource_api (shipped in Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x) does not preserve the sensitive flag on parameters defined via the resource-api, causing values such as passwords to be stored in cleartext in the agent\u0027s local transaction state cache. Affected versions of the resource_api module include all versions between 1.5.0 - 1.9.1 and 2.0.0 The issue was fixed in puppet resource_api\u00a01.9.2 and 2.0.1 released with Puppet Core 8.20.0 and PE 2023.8.10 \u0026 PE 2025.11.0."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-313",
"description": "CWE-313 Cleartext storage in a file or on disk",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 Cleartext storage of sensitive information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T07:43:05.217Z",
"orgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
"shortName": "Perforce"
},
"references": [
{
"url": "https://portal.perforce.com/s/cve/a91Qi000003511lIAA/cve20268804-cleartext-storage-of-sensitive-information-for-puppet-resource-api"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to\u0026nbsp;\u003cspan\u003ePuppet Core 8.20.0,\u0026nbsp;\u003c/span\u003e\u003cspan\u003ePE 2023.8.10, or\u003c/span\u003e\u003cspan\u003e\u0026nbsp;\u003c/span\u003e\u003cspan\u003ePE\u003c/span\u003e\u003cspan\u003e\u0026nbsp;\u003c/span\u003e\u003cspan\u003e2025.11.0\u0026nbsp;\u003c/span\u003e"
}
],
"value": "Upgrade to\u00a0Puppet Core 8.20.0,\u00a0PE 2023.8.10, or\u00a0PE\u00a02025.11.0"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cleartext Storage of Sensitive Information for Puppet Resource API",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
"assignerShortName": "Perforce",
"cveId": "CVE-2026-8804",
"datePublished": "2026-07-03T07:40:15.684Z",
"dateReserved": "2026-05-18T05:31:00.670Z",
"dateUpdated": "2026-07-06T15:21:55.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9274 (GCVE-0-2026-9274)
Vulnerability from cvelistv5 – Published: 2026-05-25 09:19 – Updated: 2026-05-26 14:42
VLAI
EPSS
VEX
Title
Information Exposure Vulnerability in CP-Plus Wi-Fi Camera
Summary
This vulnerability exists in CP Plus Wi-Fi Camera due to improper protection of sensitive information in runtime memory. An attacker with physical access could exploit this vulnerability by accessing the UART interface and performing memory extraction to obtain sensitive information, including cryptographic private keys, Wi-Fi credentials and configuration data stored in RAM of the targeted device.
Successful exploitation of this vulnerability could allow unauthorized access to encrypted communications and connected wireless network of the targeted device.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-312 - Cleartext Storage of Sensitive Information
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.cert-in.org.in/s2cMainServlet?pageid=… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CP Plus | Wi-Fi Camera CP-E38Q, CP-E48Q, CP-E25Q, CP-E35Q, CP-E45Q, CP-E28Q, CP-E21Q, CP-E31Q, CP-E41Q, CP-E24Q, CP-Z43Q, CP-E34Q, CP-E44Q, CP-T31Q, CP-V48Q, CP-V41Q, CP-Z45Q |
Affected:
v02.21.031 or below
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9274",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T14:34:46.327904Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T14:42:56.110Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Wi-Fi Camera CP-E38Q, CP-E48Q, CP-E25Q, CP-E35Q, CP-E45Q, CP-E28Q, CP-E21Q, CP-E31Q, CP-E41Q, CP-E24Q, CP-Z43Q, CP-E34Q, CP-E44Q, CP-T31Q, CP-V48Q, CP-V41Q, CP-Z45Q",
"vendor": "CP Plus",
"versions": [
{
"status": "affected",
"version": "v02.21.031 or below"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:cp_plus:wi-fi_camera_cp-e38q_cp-e48q_cp-e25q_cp-e35q_cp-e45q_cp-e28q_cp-e21q_cp-e31q_cp-e41q_cp-e24q_cp-z43q_cp-e34q_cp-e44q_cp-t31q_cp-v48q_cp-v41q_cp-z45q:v02.21.031_or_below:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This vulnerability is reported by Mohsin Quresh."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability exists in CP Plus Wi-Fi Camera due to improper protection of sensitive information in runtime memory. An attacker with physical access could exploit this vulnerability by accessing the UART interface and performing memory extraction to obtain sensitive information, including cryptographic private keys, Wi-Fi credentials and configuration data stored in RAM of the targeted device. \n\u003cbr\u003e\n\u003cbr\u003eSuccessful exploitation of this vulnerability could allow unauthorized access to encrypted communications and connected wireless network of the targeted device.\u0026nbsp;\u003cbr\u003e"
}
],
"value": "This vulnerability exists in CP Plus Wi-Fi Camera due to improper protection of sensitive information in runtime memory. An attacker with physical access could exploit this vulnerability by accessing the UART interface and performing memory extraction to obtain sensitive information, including cryptographic private keys, Wi-Fi credentials and configuration data stored in RAM of the targeted device. \n\n\n\nSuccessful exploitation of this vulnerability could allow unauthorized access to encrypted communications and connected wireless network of the targeted device."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "PHYSICAL",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312: Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T09:19:04.664Z",
"orgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"shortName": "CERT-In"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2026-0266"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade CP Plus Wi-Fi Camera to the latest firmware version v02.21.041 through OTA using the Ezykam+ mobile application.\u003cdiv\u003ehttps://cpplusworld.com/products/ezyhome/ezykam\u0026nbsp;\u003c/div\u003e"
}
],
"value": "Upgrade CP Plus Wi-Fi Camera to the latest firmware version v02.21.041 through OTA using the Ezykam+ mobile application.https://cpplusworld.com/products/ezyhome/ezykam"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Information Exposure Vulnerability in CP-Plus Wi-Fi Camera",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"assignerShortName": "CERT-In",
"cveId": "CVE-2026-9274",
"datePublished": "2026-05-25T09:19:04.664Z",
"dateReserved": "2026-05-22T11:57:54.666Z",
"dateUpdated": "2026-05-26T14:42:56.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phases: Implementation, System Configuration, Operation
Description:
- When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
Phases: Implementation, System Configuration, Operation
Description:
- In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.