Common Weakness Enumeration

CWE-532

Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file.

CVE-2026-49200 (GCVE-0-2026-49200)

Vulnerability from cvelistv5 – Published: 2026-05-29 08:51 – Updated: 2026-05-29 10:54
VLAI
Title
Acer Wave 7 router: Broken Access Control
Summary
The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized system access.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-532 - Sensitive information inserted into log archives
Assigner
References
Impacted products
Vendor Product Version
Acer Wave 7 router Affected: T7c_GBL_1.01.000055 , ≤ * (custom)
Create a notification for this product.
Credits
Gergo Pap
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-49200",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-29T10:54:09.713245Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-29T10:54:23.855Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows"
          ],
          "product": "Wave 7 router",
          "vendor": "Acer",
          "versions": [
            {
              "lessThanOrEqual": "*",
              "status": "affected",
              "version": "T7c_GBL_1.01.000055",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Gergo Pap"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized system access."
            }
          ],
          "value": "The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized system access."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-37",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-37: Retrieve Embedded Sensitive Data"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532: Sensitive information inserted into log archives",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-29T08:51:15.717Z",
        "orgId": "8fc372e3-d9c5-46e4-9410-38469745c639",
        "shortName": "Acer"
      },
      "references": [
        {
          "url": "https://community.acer.com/en/kb/articles/19673"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Acer Wave 7 router: Broken Access Control",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8fc372e3-d9c5-46e4-9410-38469745c639",
    "assignerShortName": "Acer",
    "cveId": "CVE-2026-49200",
    "datePublished": "2026-05-29T08:51:15.717Z",
    "dateReserved": "2026-05-28T02:47:39.776Z",
    "dateUpdated": "2026-05-29T10:54:23.855Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4957 (GCVE-0-2026-4957)

Vulnerability from cvelistv5 – Published: 2026-03-27 14:52 – Updated: 2026-03-27 15:31
VLAI
Title
OpenBMB XAgent API Key function_handler.py FunctionHandler.handle_tool_call log file
Summary
A flaw has been found in OpenBMB XAgent 1.0.0. The impacted element is the function FunctionHandler.handle_tool_call of the file XAgent/function_handler.py of the component API Key Handler. This manipulation of the argument api_key causes sensitive information in log files. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-532 - Sensitive Information in Log Files
  • CWE-200 - Information Disclosure
Assigner
References
URL Tags
https://vuldb.com/?id.353834 vdb-entrytechnical-description
https://vuldb.com/?ctiid.353834 signaturepermissions-required
https://vuldb.com/?submit.777615 third-party-advisory
https://gist.github.com/YLChen-007/6279f3de0c2dff… exploit
Impacted products
Vendor Product Version
OpenBMB XAgent Affected: 1.0.0
    cpe:2.3:a:openbmb:xagent:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Eric-z (VulDB User) VulDB
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-4957",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-27T15:30:58.845106Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T15:31:57.067Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:openbmb:xagent:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "API Key Handler"
          ],
          "product": "XAgent",
          "vendor": "OpenBMB",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Eric-z (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw has been found in OpenBMB XAgent 1.0.0. The impacted element is the function FunctionHandler.handle_tool_call of the file XAgent/function_handler.py of the component API Key Handler. This manipulation of the argument api_key causes sensitive information in log files. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 2.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 2.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 3.3,
            "vectorString": "AV:N/AC:L/Au:M/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "Sensitive Information in Log Files",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "Information Disclosure",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-27T14:52:21.328Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-353834 | OpenBMB XAgent API Key function_handler.py FunctionHandler.handle_tool_call log file",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.353834"
        },
        {
          "name": "VDB-353834 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.353834"
        },
        {
          "name": "Submit #777615 | OpenBMB XAgent v1.0.0 CWE-532",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.777615"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://gist.github.com/YLChen-007/6279f3de0c2dff7732eaaf820843b562"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-27T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-03-27T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-03-27T09:13:11.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "OpenBMB XAgent API Key function_handler.py FunctionHandler.handle_tool_call log file"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-4957",
    "datePublished": "2026-03-27T14:52:21.328Z",
    "dateReserved": "2026-03-27T08:07:45.767Z",
    "dateUpdated": "2026-03-27T15:31:57.067Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-50205 (GCVE-0-2026-50205)

Vulnerability from cvelistv5 – Published: 2026-06-04 06:43 – Updated: 2026-06-04 12:38
VLAI
Title
Plaintext Log Credential Leakage
Summary
System log files output unencrypted SMTP server authentication passwords alongside sensitive employee corporate identification data.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
Impacted products
Vendor Product Version
Acer Connect M6E 5G Portable WiFi Router Affected: * , ≤ M6E_AI_1.00.000019 (custom)
Create a notification for this product.
Credits
Ta-Lun Yen
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-50205",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-04T12:38:33.444474Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-04T12:38:53.152Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Connect M6E 5G Portable WiFi Router",
          "vendor": "Acer",
          "versions": [
            {
              "lessThanOrEqual": "M6E_AI_1.00.000019",
              "status": "affected",
              "version": "*",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Ta-Lun Yen"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "System log files output unencrypted SMTP server authentication passwords alongside sensitive employee corporate identification data."
            }
          ],
          "value": "System log files output unencrypted SMTP server authentication passwords alongside sensitive employee corporate identification data."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-118",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-118: Collect and Analyze Information"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532: Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-04T06:43:00.057Z",
        "orgId": "8fc372e3-d9c5-46e4-9410-38469745c639",
        "shortName": "Acer"
      },
      "references": [
        {
          "url": "https://community.acer.com/en/kb/articles/19707"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Plaintext Log Credential Leakage",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8fc372e3-d9c5-46e4-9410-38469745c639",
    "assignerShortName": "Acer",
    "cveId": "CVE-2026-50205",
    "datePublished": "2026-06-04T06:43:00.057Z",
    "dateReserved": "2026-06-04T01:29:10.111Z",
    "dateUpdated": "2026-06-04T12:38:53.152Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-54236 (GCVE-0-2026-54236)

Vulnerability from cvelistv5 – Published: 2026-06-22 22:09 – Updated: 2026-06-23 12:33
VLAI
Title
vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router
Summary
vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, the fix for CVE-2026-22778, which introduced a sanitize_message helper that strips object-repr memory addresses from error messages before they reach the client, is incomplete: several response paths echo str(exc) directly to clients without calling sanitize_message. The unsanitized sites include the Anthropic API router in vllm/entrypoints/anthropic/api_router.py (the POST /v1/messages and POST /v1/messages/count_tokens handlers), the Server-Sent Events streaming converter in vllm/entrypoints/anthropic/serving.py, and the realtime speech-to-text WebSocket in vllm/entrypoints/speech_to_text/realtime/connection.py. These paths catch the exception inside the route coroutine and construct the JSONResponse themselves, bypassing the sanitizing global FastAPI exception handler, and WebSocket frames do not traverse that handler chain at all. Using the same primitive as the parent issue, an unauthenticated attacker can send malformed image bytes through the Anthropic Messages API image content parts so that PIL.Image.open raises an UnidentifiedImageError whose message contains the BytesIO object repr, leaking the heap memory address verbatim in the error.message field of the response body. This vulnerability is fixed in 0.23.1rc0.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-532 - Insertion of Sensitive Information into Log File
Assigner
Impacted products
Vendor Product Version
vllm-project vllm Affected: < 0.23.1rc0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54236",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-23T12:32:56.752434Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-23T12:33:28.108Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-hgg8-fqqc-vfmw"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vllm",
          "vendor": "vllm-project",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.23.1rc0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, the fix for CVE-2026-22778, which introduced a sanitize_message helper that strips object-repr memory addresses from error messages before they reach the client, is incomplete: several response paths echo str(exc) directly to clients without calling sanitize_message. The unsanitized sites include the Anthropic API router in vllm/entrypoints/anthropic/api_router.py (the POST /v1/messages and POST /v1/messages/count_tokens handlers), the Server-Sent Events streaming converter in vllm/entrypoints/anthropic/serving.py, and the realtime speech-to-text WebSocket in vllm/entrypoints/speech_to_text/realtime/connection.py. These paths catch the exception inside the route coroutine and construct the JSONResponse themselves, bypassing the sanitizing global FastAPI exception handler, and WebSocket frames do not traverse that handler chain at all. Using the same primitive as the parent issue, an unauthenticated attacker can send malformed image bytes through the Anthropic Messages API image content parts so that PIL.Image.open raises an UnidentifiedImageError whose message contains the BytesIO object repr, leaking the heap memory address verbatim in the error.message field of the response body. This vulnerability is fixed in 0.23.1rc0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532: Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-22T22:09:15.034Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-hgg8-fqqc-vfmw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-hgg8-fqqc-vfmw"
        },
        {
          "name": "https://github.com/vllm-project/vllm/pull/45119",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vllm-project/vllm/pull/45119"
        },
        {
          "name": "https://github.com/vllm-project/vllm/commit/94923629729381d7f7c9efde72071a2441f7fd82",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vllm-project/vllm/commit/94923629729381d7f7c9efde72071a2441f7fd82"
        }
      ],
      "source": {
        "advisory": "GHSA-hgg8-fqqc-vfmw",
        "discovery": "UNKNOWN"
      },
      "title": "vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-54236",
    "datePublished": "2026-06-22T22:09:15.034Z",
    "dateReserved": "2026-06-12T16:25:43.084Z",
    "dateUpdated": "2026-06-23T12:33:28.108Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-54652 (GCVE-0-2026-54652)

Vulnerability from cvelistv5 – Published: 2026-07-08 14:52 – Updated: 2026-07-08 15:20
VLAI
Title
Frigate viewer can read logs exposing admin and camera credentials
Summary
Frigate is an open source network video recorder. In version 0.17.1, the GET /api/logs/{service} endpoint allows any authenticated user including the viewer role to download Frigate and nginx logs, exposing auto-generated admin passwords and camera credentials logged in request query strings and enabling viewer-to-admin privilege escalation. A fixed release has not been identified.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-269 - Improper Privilege Management
  • CWE-532 - Insertion of Sensitive Information into Log File
  • CWE-598 - Use of GET Request Method With Sensitive Query Strings
  • CWE-863 - Incorrect Authorization
Assigner
Impacted products
Vendor Product Version
blakeblackshear frigate Affected: <= 0.17.1
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54652",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-08T15:20:07.339673Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-08T15:20:23.777Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-c4qf-xxq4-vf55"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "frigate",
          "vendor": "blakeblackshear",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 0.17.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Frigate is an open source network video recorder. In version 0.17.1, the GET /api/logs/{service} endpoint allows any authenticated user including the viewer role to download Frigate and nginx logs, exposing auto-generated admin passwords and camera credentials logged in request query strings and enabling viewer-to-admin privilege escalation. A fixed release has not been identified."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532: Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-598",
              "description": "CWE-598: Use of GET Request Method With Sensitive Query Strings",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-08T14:52:42.752Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-c4qf-xxq4-vf55",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-c4qf-xxq4-vf55"
        },
        {
          "name": "https://github.com/blakeblackshear/frigate/commit/68e8afd35c76f05f68de47ee9588d2c91796de4b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/blakeblackshear/frigate/commit/68e8afd35c76f05f68de47ee9588d2c91796de4b"
        },
        {
          "name": "https://github.com/blakeblackshear/frigate/commit/bd1fc1cc72cd4fa371464a087cbf3d7f3142edc6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/blakeblackshear/frigate/commit/bd1fc1cc72cd4fa371464a087cbf3d7f3142edc6"
        }
      ],
      "source": {
        "advisory": "GHSA-c4qf-xxq4-vf55",
        "discovery": "UNKNOWN"
      },
      "title": "Frigate viewer can read logs exposing admin and camera credentials"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-54652",
    "datePublished": "2026-07-08T14:52:42.752Z",
    "dateReserved": "2026-06-15T20:16:46.199Z",
    "dateUpdated": "2026-07-08T15:20:23.777Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-54704 (GCVE-0-2026-54704)

Vulnerability from cvelistv5 – Published: 2026-07-01 21:15 – Updated: 2026-07-02 12:23
VLAI
Title
OpenTelemetry Java Instrumentation: JDBC Auto-Instrumentation Logging Clear-Text Passwords
Summary
OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.28.0, the JDBC auto-instrumentation may fail to sanitize passwords in SQL CONNECT statements when the password is double-quoted. As a result, clear-text database passwords can be added to trace span attributes and exported to observability backends. This issue has been fixed in version 2.28.0.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54704",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-02T12:23:43.311803Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-02T12:23:50.336Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "opentelemetry-java-instrumentation",
          "vendor": "open-telemetry",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.28.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.28.0, the JDBC auto-instrumentation may fail to sanitize passwords in SQL CONNECT statements when the password is double-quoted. As a result, clear-text database passwords can be added to trace span attributes and exported to observability backends. This issue has been fixed in version 2.28.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532: Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-01T21:15:37.903Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/security/advisories/GHSA-rwqx-fvqh-6wm4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-java-instrumentation/security/advisories/GHSA-rwqx-fvqh-6wm4"
        }
      ],
      "source": {
        "advisory": "GHSA-rwqx-fvqh-6wm4",
        "discovery": "UNKNOWN"
      },
      "title": "OpenTelemetry Java Instrumentation: JDBC Auto-Instrumentation Logging Clear-Text Passwords"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-54704",
    "datePublished": "2026-07-01T21:15:37.903Z",
    "dateReserved": "2026-06-15T22:58:06.563Z",
    "dateUpdated": "2026-07-02T12:23:50.336Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-56457 (GCVE-0-2026-56457)

Vulnerability from cvelistv5 – Published: 2026-06-29 13:18 – Updated: 2026-06-29 13:58
VLAI
Title
HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information
Summary
HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information vulnerability in output logs. This exposure could allow an attacker with access to the logs to potentially obtain sensitive values related to that step.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-532 - Insertion of sensitive information into log file
Assigner
HCL
Impacted products
Vendor Product Version
HCLSoftware HCL DevOps Deploy / HCL Launch Affected: 7.3-7.3.2.18, 8.0-8.0.1.13, 8.1-8.1.2.6, 8.2-8.2.1.0
Create a notification for this product.
Date Public
2026-06-29 13:18
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-56457",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-29T13:58:36.273301Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-29T13:58:43.773Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "HCL DevOps Deploy / HCL Launch",
          "vendor": "HCLSoftware",
          "versions": [
            {
              "status": "affected",
              "version": "7.3-7.3.2.18, 8.0-8.0.1.13, 8.1-8.1.2.6, 8.2-8.2.1.0"
            }
          ]
        }
      ],
      "datePublic": "2026-06-29T13:18:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eHCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information vulnerability in output logs. This exposure could allow an attacker with access to the logs to potentially obtain sensitive values related to that step.\u003c/p\u003e"
            }
          ],
          "value": "HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information vulnerability in output logs. This exposure could allow an attacker with access to the logs to potentially obtain sensitive values related to that step."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532 Insertion of sensitive information into log file",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-29T13:18:59.104Z",
        "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "shortName": "HCL"
      },
      "references": [
        {
          "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131694"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
    "assignerShortName": "HCL",
    "cveId": "CVE-2026-56457",
    "datePublished": "2026-06-29T13:18:59.104Z",
    "dateReserved": "2026-06-22T13:38:32.649Z",
    "dateUpdated": "2026-06-29T13:58:43.773Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-56459 (GCVE-0-2026-56459)

Vulnerability from cvelistv5 – Published: 2026-07-09 08:25 – Updated: 2026-07-09 12:37
VLAI
Title
HCL DevOps Deploy / HCL Launch is susceptible to sensitive information disclosure
Summary
HCL DevOps Deploy / HCL Launch is susceptible to sensitive information disclosure.  The application stores potentially sensitive information in log files that could be read by a local user.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-532 - Insertion of sensitive information into log file
Assigner
HCL
Impacted products
Vendor Product Version
HCLSoftware HCL DevOps Deploy / HCL Launch Affected: 7.3-7.3.2.18, 8.0-8.0.1.13, 8.1-8.1.2.6, 8.2-8.2.1.0
Create a notification for this product.
Date Public
2026-07-09 08:25
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-56459",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-09T12:37:02.972180Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-09T12:37:09.372Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "HCL DevOps Deploy / HCL Launch",
          "vendor": "HCLSoftware",
          "versions": [
            {
              "status": "affected",
              "version": "7.3-7.3.2.18, 8.0-8.0.1.13, 8.1-8.1.2.6, 8.2-8.2.1.0"
            }
          ]
        }
      ],
      "datePublic": "2026-07-09T08:25:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eHCL DevOps Deploy / HCL Launch is susceptible to sensitive information disclosure. \u0026nbsp;The application stores potentially sensitive information in log files that could be read by a local user.\u003c/p\u003e"
            }
          ],
          "value": "HCL DevOps Deploy / HCL Launch is susceptible to sensitive information disclosure. \u00a0The application stores potentially sensitive information in log files that could be read by a local user."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532 Insertion of sensitive information into log file",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-09T08:25:50.779Z",
        "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "shortName": "HCL"
      },
      "references": [
        {
          "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131696"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "HCL DevOps Deploy / HCL Launch is susceptible to sensitive information disclosure",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
    "assignerShortName": "HCL",
    "cveId": "CVE-2026-56459",
    "datePublished": "2026-07-09T08:25:50.779Z",
    "dateReserved": "2026-06-22T13:38:32.650Z",
    "dateUpdated": "2026-07-09T12:37:09.372Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-59947 (GCVE-0-2026-59947)

Vulnerability from cvelistv5 – Published: 2026-07-08 19:33 – Updated: 2026-07-09 14:01
VLAI
Title
Composer: URL-embedded HTTP-Basic username leaks to verbose logs (GitHub PAT exposure)
Summary
Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, when Composer is run with -vvv debug verbosity, it could print a credential embedded in the username slot of a repository or package URL, such as a GitHub Personal Access Token in https://TOKEN@host/, to debug output because AuthHelper, Url::sanitize, and ProcessExecutor did not sanitize username-only URL credentials. This issue is fixed in versions 2.2.29 and 2.10.2.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-532 - Insertion of Sensitive Information into Log File
Assigner
Impacted products
Vendor Product Version
composer composer Affected: >= 1.0, < 2.2.29
Affected: >= 2.3.0, < 2.10.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-59947",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-09T14:01:31.826906Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-09T14:01:42.612Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "composer",
          "vendor": "composer",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0, \u003c 2.2.29"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.3.0, \u003c 2.10.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, when Composer is run with -vvv debug verbosity, it could print a credential embedded in the username slot of a repository or package URL, such as a GitHub Personal Access Token in https://TOKEN@host/, to debug output because AuthHelper, Url::sanitize, and ProcessExecutor did not sanitize username-only URL credentials. This issue is fixed in versions 2.2.29 and 2.10.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532: Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-08T19:33:56.009Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/composer/composer/security/advisories/GHSA-g6xq-892h-64w3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/composer/composer/security/advisories/GHSA-g6xq-892h-64w3"
        },
        {
          "name": "https://github.com/composer/composer/commit/6bd66874ae523ecb69aca5964487a0cdfda03ef8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/composer/composer/commit/6bd66874ae523ecb69aca5964487a0cdfda03ef8"
        },
        {
          "name": "https://github.com/composer/composer/commit/8887ad76fbd830cb1861a2b1fd8ead78ed1fa1ec",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/composer/composer/commit/8887ad76fbd830cb1861a2b1fd8ead78ed1fa1ec"
        },
        {
          "name": "https://github.com/composer/composer/releases/tag/2.10.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/composer/composer/releases/tag/2.10.2"
        },
        {
          "name": "https://github.com/composer/composer/releases/tag/2.2.29",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/composer/composer/releases/tag/2.2.29"
        }
      ],
      "source": {
        "advisory": "GHSA-g6xq-892h-64w3",
        "discovery": "UNKNOWN"
      },
      "title": "Composer: URL-embedded HTTP-Basic username leaks to verbose logs (GitHub PAT exposure)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-59947",
    "datePublished": "2026-07-08T19:33:56.009Z",
    "dateReserved": "2026-07-07T18:49:15.607Z",
    "dateUpdated": "2026-07-09T14:01:42.612Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6720 (GCVE-0-2026-6720)

Vulnerability from cvelistv5 – Published: 2026-05-28 15:47 – Updated: 2026-05-28 17:04
VLAI
Title
Calicoctl leaks cluster credentials to stderr when verbose logging is enabled
Summary
When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream — CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl — can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
Tigera Calico Affected: 0 , < 3.32.0 (semver)
Create a notification for this product.
Tigera Calico Enterprise Affected: 0 , < 3.21.7 (semver)
Unaffected: 3.22.3 (semver)
Create a notification for this product.
Tigera Calico Cloud Affected: 0 , < 22.4.0 (semver)
Create a notification for this product.
Date Public
2026-05-28 16:00
Credits
Behnam Shobiri Behnam Shobiri Anthony Tam
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6720",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-28T17:04:05.727153Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-28T17:04:11.659Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Calico",
          "vendor": "Tigera",
          "versions": [
            {
              "lessThan": "3.32.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Calico Enterprise",
          "vendor": "Tigera",
          "versions": [
            {
              "lessThan": "3.21.7",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "3.22.3",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Calico Cloud",
          "vendor": "Tigera",
          "versions": [
            {
              "lessThan": "22.4.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:tigera:calico:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "3.32.0",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            },
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:tigera:calico_enterprise:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "3.21.7",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:tigera:calico_enterprise:3.22.3:*:*:*:*:*:*:*",
                  "vulnerable": false
                }
              ],
              "negate": false,
              "operator": "OR"
            },
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:tigera:calico_cloud:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "22.4.0",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Behnam Shobiri"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Behnam Shobiri"
        },
        {
          "lang": "en",
          "type": "remediation verifier",
          "value": "Anthony Tam"
        }
      ],
      "datePublic": "2026-05-28T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan\u003eWhen \u003c/span\u003e\u003cspan\u003ecalicoctl\u003c/span\u003e\u003cspan\u003e is invoked with \u003c/span\u003e\u003cspan\u003e--log-level=info\u003c/span\u003e\u003cspan\u003e or \u003c/span\u003e\u003cspan\u003e--log-level=debug\u003c/span\u003e\u003cspan\u003e, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential \u003c/span\u003e\u003cspan\u003ecalicoctl\u003c/span\u003e\u003cspan\u003e uses to talk to the cluster \u2014 inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream \u2014 CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran \u003c/span\u003e\u003cspan\u003ecalicoctl\u003c/span\u003e\u003cspan\u003e \u2014 can extract these credentials with zero Kubernetes privilege. \u003c/span\u003e\u003cspan\u003ecalicoctl\u003c/span\u003e\u003cspan\u003e\u0027s default log level is \u003c/span\u003e\u003cspan\u003epanic\u003c/span\u003e\u003cspan\u003e, so this issue only triggers when verbose logging is explicitly enabled.\u003c/span\u003e"
            }
          ],
          "value": "When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster \u2014 inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream \u2014 CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl \u2014 can extract these credentials with zero Kubernetes privilege. calicoctl\u0027s default log level is panic, so this issue only triggers when verbose logging is explicitly enabled."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-150",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-150 Collect Data from Common Resource Locations"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-28T15:47:42.519Z",
        "orgId": "e6d453f4-3dae-4941-bcea-9af25f4e824d",
        "shortName": "Tigera"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/projectcalico/calico/pull/12535"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/projectcalico/calico/pull/12536"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/projectcalico/calico/pull/12537"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.tigera.io/security-bulletins/tta-2026-003/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Calicoctl leaks cluster credentials to stderr when verbose logging is enabled",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e6d453f4-3dae-4941-bcea-9af25f4e824d",
    "assignerShortName": "Tigera",
    "cveId": "CVE-2026-6720",
    "datePublished": "2026-05-28T15:47:42.519Z",
    "dateReserved": "2026-04-20T19:31:31.065Z",
    "dateUpdated": "2026-05-28T17:04:11.659Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation

Phases: Architecture and Design, Implementation

Description:

  • Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
Mitigation

Phase: Distribution

Description:

  • Remove debug log files before deploying the application into production.
Mitigation

Phase: Operation

Description:

  • Protect log files against unauthorized read/write.
Mitigation

Phase: Implementation

Description:

  • Adjust configurations appropriately when software is transitioned from a debug state to production.
CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.

Back to CWE stats page