GHSA-92QF-FCPH-V5WR
Vulnerability from github – Published: 2026-06-25 21:45 – Updated: 2026-06-25 21:45Impact
nextflow auth login persists Seqera Platform OIDC tokens to ${NXF_HOME:-~/.nextflow}/seqera-auth.config. The file is created via Java NIO without specifying file permissions, so under the default umask 022 it lands at mode 0644 (world-readable).
On a multi-user POSIX host — typically an HPC login node, shared workstation, or jump host — any local user able to traverse the victim's home directory can read the file and obtain a valid Platform bearer token, enabling impersonation against Seqera Platform within the token's scope.
Single-user systems and headless CI runners, which do not invoke the interactive login flow, are not affected.
Affected versions: 25.09.2-edge through 26.04.1.
Patches
Fixed in <PATCHED_VERSION>. The patched code applies mode 0600 to seqera-auth.config immediately after writing it, and re-applies on every subsequent login so any pre-existing world-readable copy left by an earlier version is tightened.
Tokens previously stored in the file must be treated as disclosed. After upgrading, run nextflow auth logout, revoke the token in the Seqera Platform UI, and run nextflow auth login again.
Workarounds
Restrict the file and its parent directory:
chmod 600 "${NXF_HOME:-$HOME/.nextflow}/seqera-auth.config"
chmod 700 "${NXF_HOME:-$HOME/.nextflow}"
Alternatively, supply the Platform token via the TOWER_ACCESS_TOKEN environment variable instead of running nextflow auth login.
References
- https://cwe.mitre.org/data/definitions/276.html
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.nextflow:nextflow"
},
"ranges": [
{
"events": [
{
"introduced": "25.09.2-edge"
},
{
"fixed": "25.10.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "io.nextflow:nextflow"
},
"ranges": [
{
"events": [
{
"introduced": "26.00.0-edge"
},
{
"fixed": "26.04.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48722"
],
"database_specific": {
"cwe_ids": [
"CWE-276",
"CWE-732"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-25T21:45:55Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\n`nextflow auth login` persists Seqera Platform OIDC tokens to `${NXF_HOME:-~/.nextflow}/seqera-auth.config`. The file is created via Java NIO without specifying file permissions, so under the default `umask 022` it lands at mode `0644` (world-readable).\n\nOn a multi-user POSIX host \u2014 typically an HPC login node, shared workstation, or jump host \u2014 any local user able to traverse the victim\u0027s home directory can read the file and obtain a valid Platform bearer token, enabling impersonation against Seqera Platform within the token\u0027s scope.\n\nSingle-user systems and headless CI runners, which do not invoke the interactive login flow, are not affected.\n\nAffected versions: `25.09.2-edge` through `26.04.1`.\n \n### Patches\n\nFixed in `\u003cPATCHED_VERSION\u003e`. The patched code applies mode `0600` to `seqera-auth.config` immediately after writing it, and re-applies on every subsequent login so any pre-existing world-readable copy left by an earlier version is tightened.\n\nTokens previously stored in the file must be treated as disclosed. After upgrading, run `nextflow auth logout`, revoke the token in the Seqera Platform UI, and run `nextflow auth login` again.\n\n### Workarounds\n \nRestrict the file and its parent directory:\n\n`chmod 600 \"${NXF_HOME:-$HOME/.nextflow}/seqera-auth.config\"`\n`chmod 700 \"${NXF_HOME:-$HOME/.nextflow}\"`\n\nAlternatively, supply the Platform token via the `TOWER_ACCESS_TOKEN` environment variable instead of running `nextflow auth login`.\n\n### References\n \n - https://cwe.mitre.org/data/definitions/276.html",
"id": "GHSA-92qf-fcph-v5wr",
"modified": "2026-06-25T21:45:55Z",
"published": "2026-06-25T21:45:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nextflow-io/nextflow/security/advisories/GHSA-92qf-fcph-v5wr"
},
{
"type": "PACKAGE",
"url": "https://github.com/nextflow-io/nextflow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "nextflow auth login command has incorrect default permissions"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.