CVE-2026-56783
⚪ Do wiadomości
W Parseable przed 2.9.2 ujawnienie informacji w API pozwala na odzyskanie tokenów i poświadczeń.
CVSS
6.5
EPSS
0.0%
Exploit
none
Vendor
Opis źródłowy (NVD)
Parseable before 2.9.2 contains an information disclosure vulnerability in the notification-target API endpoints that returns webhook tokens and basic-auth credentials in cleartext due to commented-out secret-masking functionality. Any authenticated user with the GetAlert action, including low-privilege reader roles, can recover credentials and internal endpoint URLs for all configured notification targets by querying GET /api/v1/targets or related endpoints.
brak
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 6.5 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.0% |
| Opublikowano (NVD) | 2026-06-29 18:16:38 UTC |
| Ostatnia modyfikacja (NVD) | 2026-06-29 19:13:31 UTC |
Referencje
- https://github.com/parseablehq/parseable/commit/f307c4989cc9f3ff4204fd383dec7a39924e6b2a (disclosure@vulncheck.com)
- https://github.com/parseablehq/parseable/issues/1693 (disclosure@vulncheck.com)
- https://github.com/parseablehq/parseable/pull/1698 (disclosure@vulncheck.com)
- https://github.com/parseablehq/parseable/releases/tag/v2.9.2 (disclosure@vulncheck.com)
- https://www.vulncheck.com/advisories/parseable-cleartext-credential-exposure-in-notification-target-api (disclosure@vulncheck.com)