Common Weakness Enumeration

CWE-522

Allowed-with-Review

Insufficiently Protected Credentials

Abstraction: Class · Status: Incomplete

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

1811 vulnerabilities reference this CWE, most recent first.

GHSA-X4QP-7WVJ-8C69

Vulnerability from github – Published: 2022-07-15 00:00 – Updated: 2022-07-22 00:00
VLAI
Details

On Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 and OutDoorUnit (ODU) 3.33.101.0 devices, the CRTC and ODU RPC endpoints rely on a static certificate for access control. This certificate is embedded in the firmware, and is identical across the fleet of devices. An attacker need only download this firmware and extract the private components of these certificates (from /etc/lighttpd.d/ca.pem and /etc/lighttpd.d/server.pem) to gain access. (The firmware download location is shown in a device's upgrade logs.)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-28371"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-14T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "On Verizon 5G Home LVSKIHP InDoorUnit (IDU) 3.4.66.162 and OutDoorUnit (ODU) 3.33.101.0 devices, the CRTC and ODU RPC endpoints rely on a static certificate for access control. This certificate is embedded in the firmware, and is identical across the fleet of devices. An attacker need only download this firmware and extract the private components of these certificates (from /etc/lighttpd.d/ca.pem and /etc/lighttpd.d/server.pem) to gain access. (The firmware download location is shown in a device\u0027s upgrade logs.)",
  "id": "GHSA-x4qp-7wvj-8c69",
  "modified": "2022-07-22T00:00:40Z",
  "published": "2022-07-15T00:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28371"
    },
    {
      "type": "WEB",
      "url": "https://github.com/JousterL/SecWriteups/blob/main/Verizon%20LVSKIHP%205G%20Modem/readme.md"
    },
    {
      "type": "WEB",
      "url": "https://www.verizon.com/info/reportsecurityvulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X58F-9H5M-89HM

Vulnerability from github – Published: 2024-10-22 03:31 – Updated: 2024-12-06 00:31
VLAI
Details

The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series uOS firmware version V1.21 and earlier versions could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9677"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-22T02:15:04Z",
    "severity": "MODERATE"
  },
  "details": "The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series uOS firmware version V1.21 and earlier versions\u00a0could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out.",
  "id": "GHSA-x58f-9h5m-89hm",
  "modified": "2024-12-06T00:31:46Z",
  "published": "2024-10-22T03:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9677"
    },
    {
      "type": "WEB",
      "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-insufficiently-protected-credentials-vulnerability-in-firewalls-10-22-2024"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X62W-G776-JM7X

Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49
VLAI
Details

Plaintext Storage of Passwords within Cookies in /var/www/xms/application/controllers/verifyLogin.php in the administrative console in Dialogic PowerMedia XMS before 3.5 SU2 allows remote attackers to access a user's password in cleartext.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-11639"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-03T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "Plaintext Storage of Passwords within Cookies in /var/www/xms/application/controllers/verifyLogin.php in the administrative console in Dialogic PowerMedia XMS before 3.5 SU2 allows remote attackers to access a user\u0027s password in cleartext.",
  "id": "GHSA-x62w-g776-jm7x",
  "modified": "2022-05-13T01:49:18Z",
  "published": "2022-05-13T01:49:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11639"
    },
    {
      "type": "WEB",
      "url": "https://d3adend.org/blog/?p=1398"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X64H-J64M-8VMM

Vulnerability from github – Published: 2022-05-13 01:51 – Updated: 2022-05-13 01:51
VLAI
Details

Technicolor CWA0101 CWA0101E-A23E-c7000r5712-170315-SKC devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.10001 and 1.3.6.1.4.1.4413.2.2.2.1.18.1.2.3.4.1.2.10001 SNMP requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-20440"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-25T15:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Technicolor CWA0101 CWA0101E-A23E-c7000r5712-170315-SKC devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.10001 and 1.3.6.1.4.1.4413.2.2.2.1.18.1.2.3.4.1.2.10001 SNMP requests.",
  "id": "GHSA-x64h-j64m-8vmm",
  "modified": "2022-05-13T01:51:04Z",
  "published": "2022-05-13T01:51:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20440"
    },
    {
      "type": "WEB",
      "url": "https://misteralfa-hack.blogspot.com/2018/12/technicolor-passwords-wireless-via-snmp.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X655-8W7Q-XMQG

Vulnerability from github – Published: 2022-05-13 01:51 – Updated: 2022-05-13 01:51
VLAI
Details

Technicolor TC7200.TH2v2 SC05.00.22 devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.2863.205.10.1.30.4.1.14.1.3.32 and iso.3.6.1.4.1.2863.205.10.1.30.4.2.4.1.2.32 SNMP requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-20441"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-25T15:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Technicolor TC7200.TH2v2 SC05.00.22 devices allow remote attackers to discover Wi-Fi credentials via iso.3.6.1.4.1.2863.205.10.1.30.4.1.14.1.3.32 and iso.3.6.1.4.1.2863.205.10.1.30.4.2.4.1.2.32 SNMP requests.",
  "id": "GHSA-x655-8w7q-xmqg",
  "modified": "2022-05-13T01:51:04Z",
  "published": "2022-05-13T01:51:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20441"
    },
    {
      "type": "WEB",
      "url": "https://misteralfa-hack.blogspot.com/2018/12/technicolor-passwords-wireless-via-snmp.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X6GV-2RVH-QMP6

Vulnerability from github – Published: 2025-08-13 23:03 – Updated: 2025-10-27 16:22
VLAI
Summary
m00nl1ght-dev/steam-workshop-deploy: Exposure of Version-Control Repository to an Unauthorized Control Sphere and Insufficiently Protected Credentials
Details

Summary

The steam-workshop-deploy github action does not exclude the .git directory when packaging content for deployment and provides no built-in way to do so. If a .git folder exists in the target directory (e.g., due to a local Git repo, custom project structure, or via the actions/checkout workflow), it is silently included in the output package. This results in leakage of sensitive repository metadata and potentially credentials, including github personal access tokens (PATs) embedded in .git/config.

Many game modding projects require packaging from the project root as the game expects certain files (assets, configuration, metadata) to be present at specific root-level paths. Consequently, the .git directory often exists alongside these required files and gets packaged unintentionally, especially when using actions/checkout.

While github hosted runners automatically revoke ephemeral credentials at the end of each job, the severity of this issue increases dramatically in other CI environments:

  • Self-hosted runners may store long-lived tokens or secrets.
  • Developers may maintain their own .git folders with embedded PATs or remotes tied to private repositories.
  • The workflow may run without the actions/checkout action, distributing the .git directory present on the running machine if it exists in the directory.

A real example of an affected mod can be found here: https://github.com/BoldestDungeon/wildermyth-drauven-pcs/security/advisories/GHSA-7j9v-72w9-ww6w

Details

Who is affected: - Any user of steam-workshop-deploy operating in an environment where .git exists in the packaging directory. - Any user of steam-workshop-deploy operating in an environment where the actions/checkout workflow is used and then the .git directory is inadvertently generated within the packaging directory (greatly reduced severity due to the ephemeral nature of github actions).

Impact

The severity of this issue for downstream components can range from 0.0 (no credentials, sensitive metadata, or private source code were present in the packaging directory) to 10.0 (extremely sensitive, high privilige credentials or source code from private repositories were exposed).

The actual severity depends primarily on the permissions, scope, and nature of the exposed data: * Low/none (0.0-3.9): Only non-sensitive repository metadata was exposed, no credentials were present, or only public facing code was included. * Medium(4.0-6.9): Credentials with limited repository access and/or short lifespan (e.g., ephemeral tokens) were exposed, or non-sensitive private code was disclosed. * High/critical (7.0-10.0): Long-lived tokens, organization-wide credentials, or credentials with administrative privileges were exposed, potentially enabling full repository compromise, secret extraction, code tampering, or the complete leak of private repository source code.

As such, each downstream consumer should independently assess their exposure by reviewing packaged artifacts for the presence of .git directories or other credentials, and evaluating both the sensitivity of any credentials found and the confidentiality of any included source code.

Consequences may include: - Unauthorized access to git repositories via exposed PATs. - Tampering with repository code or metadata. - Malicious CI behavior (triggering workflows, reading secrets). - Disclosure of commit history, remote origins, or other sensitive internal structure.

Recommendation

This issue should be considered severe due to the potential exposure of sensitive tokens and repository metadata. Although most workflows that use steam-workshop-deploy also employ actions/checkout, which handles tokens and credentials more securely, there are legitimate use cases where actions/checkout is not used or where custom .git folders exist. Additionally, actions/checkout can accept a on-emphemeral tokens as a parameter for its workflow. In such cases, long-lived or sensitive credentials may be packaged and exposed, greatly increasing the risk of unauthorized access and repository compromise. Therefore, this issue should be considered severe regardless of common usage patterns.

Downstream: - Downstream components should revoke any credentials or PATs associated with workflows or repositories that use this github action

This Deployment Action

  • [x] The action should exclude .git/ and other common sensitive file(s) by default from all packaging operations.
  • [x] A deployignore or similar mechanism should be introduced to give users finer control of what files or directories are included for deployed artifacts
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "GitHub Actions",
        "name": "m00nl1ght-dev/steam-workshop-deploy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "GitHub Actions",
        "name": "BoldestDungeon/steam-workshop-deploy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-212",
      "CWE-522",
      "CWE-527"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-13T23:03:26Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Summary\nThe `steam-workshop-deploy` github action does not exclude the `.git` directory when packaging content for deployment and provides no built-in way to do so. If a `.git` folder exists in the target directory (e.g., due to a local Git repo, custom project structure, or via  the `actions/checkout` workflow), it is silently included in the output package. This results in leakage of sensitive repository metadata and potentially credentials, including github personal access tokens (PATs) embedded in `.git/config`.\n\nMany game modding projects require packaging from the project root as the game expects certain files (assets, configuration, metadata) to be present at specific root-level paths. Consequently, the `.git` directory often exists alongside these required files and gets packaged unintentionally, especially when using `actions/checkout`.\n\nWhile github hosted runners automatically revoke ephemeral credentials at the end of each job, the severity of this issue increases dramatically in other CI environments:\n\n- Self-hosted runners may store long-lived tokens or secrets.\n- Developers may maintain their own `.git` folders with embedded PATs or remotes tied to private repositories.\n- The workflow may run without the `actions/checkout` action, distributing the `.git` directory present on the running machine if it exists in the directory.\n\nA real example of an affected mod can be found here: https://github.com/BoldestDungeon/wildermyth-drauven-pcs/security/advisories/GHSA-7j9v-72w9-ww6w\n\n## Details\nWho is affected:\n- Any user of `steam-workshop-deploy` operating in an environment where `.git` exists in the packaging directory.\n- Any user of `steam-workshop-deploy` operating in an environment where the [actions/checkout](https://github.com/actions/checkout) workflow is used and then the `.git` directory is inadvertently generated within the packaging directory (greatly reduced severity due to the ephemeral nature of github actions).\n\n## Impact\nThe severity of this issue for downstream components can range from **0.0** (no credentials, sensitive metadata, or private source code were present in the packaging directory) to **10.0** (extremely sensitive, high privilige credentials or source code from private repositories were exposed).\n\nThe actual severity depends primarily on the permissions, scope, and nature of the exposed data:\n* **Low/none (0.0-3.9)**: Only non-sensitive repository metadata was exposed, no credentials were present, or only public facing code was included.\n* **Medium(4.0-6.9)**: Credentials with limited repository access and/or short lifespan (e.g., ephemeral tokens) were exposed, or non-sensitive private code was disclosed.\n* **High/critical (7.0-10.0)**: Long-lived tokens, organization-wide credentials, or credentials with administrative privileges were exposed, potentially enabling full repository compromise, secret extraction, code tampering, or the complete leak of private repository source code.\n\nAs such, each downstream consumer should independently assess their exposure by reviewing packaged artifacts for the presence of `.git` directories or other credentials, and evaluating both the sensitivity of any credentials found and the confidentiality of any included source code.\n\nConsequences may include:\n  - Unauthorized access to git repositories via exposed PATs.\n  - Tampering with repository code or metadata.\n  - Malicious CI behavior (triggering workflows, reading secrets).\n  - Disclosure of commit history, remote origins, or other sensitive internal structure.\n\n## Recommendation\nThis issue should be considered **severe** due to the potential exposure of sensitive tokens and repository metadata. Although most workflows that use `steam-workshop-deploy` also employ `actions/checkout`, which handles tokens and credentials more securely, there are legitimate use cases where `actions/checkout` is not used or where custom `.git` folders exist. Additionally, `actions/checkout` can accept a on-emphemeral tokens as a parameter for its workflow. In such cases, long-lived or sensitive credentials may be packaged and exposed, greatly increasing the risk of unauthorized access and repository compromise.  Therefore, this issue should be considered severe regardless of common usage patterns.\n\n**Downstream:**\n- Downstream components should revoke any credentials or PATs associated with workflows or repositories that use this github action\n\n**This Deployment Action**\n\n- [x] The action should exclude `.git/` and other common sensitive file(s) by default from all packaging operations.\n- [x] A `deployignore` or similar mechanism should be introduced to give users finer control of what files or directories are included for deployed artifacts",
  "id": "GHSA-x6gv-2rvh-qmp6",
  "modified": "2025-10-27T16:22:57Z",
  "published": "2025-08-13T23:03:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/BoldestDungeon/steam-workshop-deploy/security/advisories/GHSA-x6gv-2rvh-qmp6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BoldestDungeon/steam-workshop-deploy/commit/0ba85729da32108e1cc498d1b3d6760857b5c04d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/m00nl1ght-dev/steam-workshop-deploy/commit/913f0844e2153d798189397036918f4ceb0911e0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/BoldestDungeon/steam-workshop-deploy"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BoldestDungeon/steam-workshop-deploy/releases/tag/V2.0.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/m00nl1ght-dev/steam-workshop-deploy/releases/tag/v4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "m00nl1ght-dev/steam-workshop-deploy: Exposure of Version-Control Repository to an Unauthorized Control Sphere and Insufficiently Protected Credentials"
}

GHSA-X757-P3P6-CFVG

Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2022-05-24 17:19
VLAI
Details

An issue was discovered in Foxit PhantomPDF before 8.3.10. It has mishandling of cloud credentials, as demonstrated by Google Drive.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-20833"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-04T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Foxit PhantomPDF before 8.3.10. It has mishandling of cloud credentials, as demonstrated by Google Drive.",
  "id": "GHSA-x757-p3p6-cfvg",
  "modified": "2022-05-24T17:19:15Z",
  "published": "2022-05-24T17:19:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20833"
    },
    {
      "type": "WEB",
      "url": "https://www.foxitsoftware.com/support/security-bulletins.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-X75R-G63M-82WJ

Vulnerability from github – Published: 2022-03-16 00:00 – Updated: 2023-10-27 17:03
VLAI
Summary
Passwords stored in plain text by Jenkins dbCharts Plugin
Details

Jenkins dbCharts Plugin 0.5.2 and earlier stores JDBC connection passwords unencrypted in its global configuration file hudson.plugins.dbcharts.DbChartPublisher.xml on the Jenkins controller as part of its configuration.

These passwords can be viewed by users with access to the Jenkins controller file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:dbCharts"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-27216"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-30T18:55:24Z",
    "nvd_published_at": "2022-03-15T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins dbCharts Plugin 0.5.2 and earlier stores JDBC connection passwords unencrypted in its global configuration file `hudson.plugins.dbcharts.DbChartPublisher.xml` on the Jenkins controller as part of its configuration.\n\nThese passwords can be viewed by users with access to the Jenkins controller file system.",
  "id": "GHSA-x75r-g63m-82wj",
  "modified": "2023-10-27T17:03:00Z",
  "published": "2022-03-16T00:00:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27216"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/dbCharts-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2159"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/03/15/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Passwords stored in plain text by Jenkins dbCharts Plugin"
}

GHSA-X784-RW8J-Q6W6

Vulnerability from github – Published: 2023-09-20 09:30 – Updated: 2024-03-21 03:35
VLAI
Details

** UNSUPPPORTED WHEN ASSIGNED ** The web application stores credentials in clear text in the "admin.xml" file, which can be accessed without logging into the website, which could allow an attacker to obtain credentials related to all users, including admin users, in clear text, and use them to subsequently execute malicious actions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-47561"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-20T08:15:15Z",
    "severity": "MODERATE"
  },
  "details": "** UNSUPPPORTED WHEN ASSIGNED ** The web application stores credentials in clear text in the \"admin.xml\" file, which can be accessed without logging into the website, which could allow an attacker to obtain credentials related to all users, including admin users, in clear text, and use them to subsequently execute malicious actions.",
  "id": "GHSA-x784-rw8j-q6w6",
  "modified": "2024-03-21T03:35:47Z",
  "published": "2023-09-20T09:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47561"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-ormazabal-products"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X7CF-6GP3-Q5F8

Vulnerability from github – Published: 2026-06-16 21:31 – Updated: 2026-06-17 17:54
VLAI
Summary
Duplicate Advisory: MCP Streamable HTTP redirects could forward configured custom headers to another origin
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-rjxq-qqhf-8hwh. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.5.12 contains an information disclosure vulnerability in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. Attackers controlling or compromising an MCP endpoint can redirect requests to exfiltrate sensitive headers like API keys or tenant-routing credentials to attacker-controlled origins.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2026.5.12"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-17T17:54:46Z",
    "nvd_published_at": "2026-06-16T19:17:00Z",
    "severity": "MODERATE"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-rjxq-qqhf-8hwh. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw before 2026.5.12 contains an information disclosure vulnerability in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. Attackers controlling or compromising an MCP endpoint can redirect requests to exfiltrate sensitive headers like API keys or tenant-routing credentials to attacker-controlled origins.",
  "id": "GHSA-x7cf-6gp3-q5f8",
  "modified": "2026-06-17T17:54:46Z",
  "published": "2026-06-16T21:31:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rjxq-qqhf-8hwh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53840"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-custom-header-leakage-via-mcp-streamable-http-cross-origin-redirects"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: MCP Streamable HTTP redirects could forward configured custom headers to another origin",
  "withdrawn": "2026-06-17T17:54:46Z"
}

Mitigation
Architecture and Design

Use an appropriate security mechanism to protect the credentials.

Mitigation
Architecture and Design

Make appropriate use of cryptography to protect the credentials.

Mitigation
Implementation

Use industry standards to protect the credentials (e.g. LDAP, keystore, etc.).

CAPEC-102: Session Sidejacking

Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.

CAPEC-474: Signature Spoofing by Key Theft

An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

CAPEC-50: Password Recovery Exploitation

An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.

CAPEC-509: Kerberoasting

Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials.

CAPEC-551: Modify Existing Service

When an operating system starts, it also starts programs called services or daemons. Modifying existing services may break existing services or may enable services that are disabled/not commonly used.

CAPEC-555: Remote Services with Stolen Credentials

This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.

CAPEC-560: Use of Known Domain Credentials

An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.

CAPEC-561: Windows Admin Shares with Stolen Credentials

An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain.

CAPEC-600: Credential Stuffing

An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.

CAPEC-644: Use of Captured Hashes (Pass The Hash)

An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.

CAPEC-645: Use of Captured Tickets (Pass The Ticket)

An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.

CAPEC-652: Use of Known Kerberos Credentials

An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.

CAPEC-653: Use of Known Operating System Credentials

An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.