GHSA-WJHR-76VG-2HVC

Vulnerability from github – Published: 2026-07-15 17:33 – Updated: 2026-07-15 17:33
VLAI
Summary
garminconnect Has Insecure Permission Assignment for Garmin OAuth Token Store
Details

Insecure Permission Assignment for Garmin OAuth Token Store

Summary

garminconnect (≤ 0.3.4) wrote its OAuth token store to disk without restricting file-system permissions. Under the default Linux umask (022) the token file garmin_tokens.json was created world-readable (0o644). The file contains the DI refresh token, so any other local user on a shared host could read it and obtain persistent, unauthorized access to the victim's Garmin Connect account.

  • Severity: High
  • Weakness: CWE-732 (Incorrect Permission Assignment for Critical Resource)
  • Affected versions: <= 0.3.4
  • Patched version: 0.3.5

Details

Client.dump() created the token directory and file with no mode argument, leaving permissions entirely to the process umask:

def dump(self, path: str) -> None:
    p = Path(path).expanduser()
    if p.is_dir() or not p.name.endswith(".json"):
        p = p / "garmin_tokens.json"
    p.parent.mkdir(parents=True, exist_ok=True)   # no mode=
    p.write_text(self.dumps())                     # no permission restriction

The serialized payload includes di_token, di_refresh_token, and di_client_id. The call is in the core library (Garmin.login(tokenstore=...) persists tokens this way), and all shipped usage examples default the token store to ~/.garminconnect.

Under umask 022 the resulting permissions were:

  • token directory → 0o755
  • garmin_tokens.json0o644 (world-readable)

A separate, unprivileged user on the same machine could read the file with a plain open() — no elevated privileges required — and extract the refresh token.

Impact

Local credential theft / privilege escalation on multi-user Linux or macOS hosts running under a permissive umask. The stolen refresh token can be exchanged for fresh access tokens via Garmin's OAuth endpoint, granting ongoing access to the victim's account (health/fitness data, activity history, device management) until the token is revoked.

Patch

Fixed in 0.3.5 (commit 77a3837). dump() now creates the directory as 0o700 and writes the token file as 0o600 regardless of umask — using os.open(..., O_CREAT|O_WRONLY|O_TRUNC, 0o600) with O_NOFOLLOW where available, plus a defensive chmod that also tightens a pre-existing loose file:

p.parent.mkdir(mode=0o700, parents=True, exist_ok=True)
with contextlib.suppress(OSError):
    p.parent.chmod(0o700)
flags = os.O_WRONLY | os.O_CREAT | os.O_TRUNC
if hasattr(os, "O_NOFOLLOW"):
    flags |= os.O_NOFOLLOW
fd = os.open(p, flags, 0o600)
with os.fdopen(fd, "w", encoding="utf-8") as f:
    f.write(self.dumps())
with contextlib.suppress(OSError):
    p.chmod(0o600)

Verified under umask 022: directory 0o700, file 0o600, no group/other access.

Workarounds

If you cannot upgrade immediately, restrict the token store manually and keep it owner-only:

chmod 700 ~/.garminconnect
chmod 600 ~/.garminconnect/garmin_tokens.json

Remediation

  1. Upgrade to garminconnect >= 0.3.5: bash pip install --upgrade garminconnect
  2. Fix any token file already on disk — upgrading only tightens permissions on the next write, so an existing world-readable file stays exposed until then: bash chmod 600 ~/.garminconnect/garmin_tokens.json # or remove it and log in again to mint a fresh token store
  3. If the file was exposed on a shared host, treat the refresh token as compromised. Re-authenticate (delete the token store and log in again) so a new token is issued; consider the previously stored token potentially read by others until rotated.

Credit

Reported by EQSTLab via a private security advisory. garminconnect thanks them for the detailed, responsible disclosure.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.3.4"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "garminconnect"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54447"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-732"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-15T17:33:00Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Insecure Permission Assignment for Garmin OAuth Token Store\n\n### Summary\n\n`garminconnect` (\u2264 0.3.4) wrote its OAuth token store to disk without restricting file-system permissions. Under the default Linux umask (`022`) the token file `garmin_tokens.json` was created world-readable (`0o644`). The file contains the DI **refresh token**, so any other local user on a shared host could read it and obtain persistent, unauthorized access to the victim\u0027s Garmin Connect account.\n\n- **Severity:** High\n- **Weakness:** CWE-732 (Incorrect Permission Assignment for Critical Resource)\n- **Affected versions:** `\u003c= 0.3.4`\n- **Patched version:** `0.3.5`\n\n### Details\n\n`Client.dump()` created the token directory and file with no `mode` argument, leaving permissions entirely to the process umask:\n\n```python\ndef dump(self, path: str) -\u003e None:\n    p = Path(path).expanduser()\n    if p.is_dir() or not p.name.endswith(\".json\"):\n        p = p / \"garmin_tokens.json\"\n    p.parent.mkdir(parents=True, exist_ok=True)   # no mode=\n    p.write_text(self.dumps())                     # no permission restriction\n```\n\nThe serialized payload includes `di_token`, `di_refresh_token`, and `di_client_id`. The call is in the core library (`Garmin.login(tokenstore=...)` persists tokens this way), and all shipped usage examples default the token store to `~/.garminconnect`.\n\nUnder `umask 022` the resulting permissions were:\n\n- token directory \u2192 `0o755`\n- `garmin_tokens.json` \u2192 `0o644` (world-readable)\n\nA separate, unprivileged user on the same machine could read the file with a plain `open()` \u2014 no elevated privileges required \u2014 and extract the refresh token.\n\n### Impact\n\nLocal credential theft / privilege escalation on multi-user Linux or macOS hosts running under a permissive umask. The stolen refresh token can be exchanged for fresh access tokens via Garmin\u0027s OAuth endpoint, granting ongoing access to the victim\u0027s account (health/fitness data, activity history, device management) until the token is revoked.\n\n### Patch\n\nFixed in **0.3.5** (commit `77a3837`). `dump()` now creates the directory as `0o700` and writes the token file as `0o600` regardless of umask \u2014 using `os.open(..., O_CREAT|O_WRONLY|O_TRUNC, 0o600)` with `O_NOFOLLOW` where available, plus a defensive `chmod` that also tightens a pre-existing loose file:\n\n```python\np.parent.mkdir(mode=0o700, parents=True, exist_ok=True)\nwith contextlib.suppress(OSError):\n    p.parent.chmod(0o700)\nflags = os.O_WRONLY | os.O_CREAT | os.O_TRUNC\nif hasattr(os, \"O_NOFOLLOW\"):\n    flags |= os.O_NOFOLLOW\nfd = os.open(p, flags, 0o600)\nwith os.fdopen(fd, \"w\", encoding=\"utf-8\") as f:\n    f.write(self.dumps())\nwith contextlib.suppress(OSError):\n    p.chmod(0o600)\n```\n\nVerified under `umask 022`: directory `0o700`, file `0o600`, no group/other access.\n\n### Workarounds\n\nIf you cannot upgrade immediately, restrict the token store manually and keep it owner-only:\n\n```bash\nchmod 700 ~/.garminconnect\nchmod 600 ~/.garminconnect/garmin_tokens.json\n```\n\n### Remediation\n\n1. **Upgrade** to `garminconnect \u003e= 0.3.5`:\n   ```bash\n   pip install --upgrade garminconnect\n   ```\n2. **Fix any token file already on disk** \u2014 upgrading only tightens permissions\n   on the *next* write, so an existing world-readable file stays exposed until\n   then:\n   ```bash\n   chmod 600 ~/.garminconnect/garmin_tokens.json\n   # or remove it and log in again to mint a fresh token store\n   ```\n3. **If the file was exposed on a shared host, treat the refresh token as\n   compromised.** Re-authenticate (delete the token store and log in again) so\n   a new token is issued; consider the previously stored token potentially\n   read by others until rotated.\n\n### Credit\n\nReported by **EQSTLab** via a private security advisory. garminconnect thanks them for the detailed, responsible disclosure.",
  "id": "GHSA-wjhr-76vg-2hvc",
  "modified": "2026-07-15T17:33:00Z",
  "published": "2026-07-15T17:33:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cyberjunky/python-garminconnect/security/advisories/GHSA-wjhr-76vg-2hvc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cyberjunky/python-garminconnect/commit/77a3837f1f79d486663c9646438e70e8319e1a48"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cyberjunky/python-garminconnect/commit/f74174a5647e1af78eca1f8f3a0aa5dc5a899947"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cyberjunky/python-garminconnect"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cyberjunky/python-garminconnect/releases/tag/0.3.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "garminconnect Has Insecure Permission Assignment for Garmin OAuth Token Store"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…