Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Proxy server in Graph Explorer before 3.0.1 falls back to HTTP when certificate files are missing, which might allow remote threat actors to obtain sensitive information via interception of requests intended to be sent over HTTPS.
To remediate this issue, users should upgrade to Graph Explorer v3.0.1 or later.
AnalysisAI
Information disclosure in AWS Graph Explorer before v3.0.1 occurs because the bundled proxy server silently falls back to plaintext HTTP when its TLS certificate files cannot be loaded, causing requests intended for HTTPS to traverse the network unencrypted. Network-positioned attackers can intercept these requests and harvest sensitive graph queries, headers, or credentials. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Technical ContextAI
Graph Explorer is an open-source visual exploration UI for Amazon Neptune and other graph databases (cpe:2.3:a:aws:graph_explorer); it ships with a Node-based proxy server that brokers connections between the browser and the graph endpoint. The flaw is a CWE-319 (Cleartext Transmission of Sensitive Information) defect in that proxy: when HTTPS is enabled but certificate generation or discovery fails, prior versions degraded to HTTP instead of failing closed. The vendor release notes attribute the silent fallback partly to a separate Docker entrypoint bug that ignored custom config directories, causing operator-supplied certificates to be skipped without warning while the proxy continued serving plaintext.
RemediationAI
Vendor-released patch: Graph Explorer v3.0.1 - upgrade per the release at https://github.com/aws/graph-explorer/releases/tag/v3.0.1 and the AWS bulletin at https://aws.amazon.com/security/security-bulletins/2026-038-aws/, which changes the proxy to exit with a clear error rather than silently degrade to HTTP when certificates cannot be loaded. Until upgrade is possible, operators should verify their HTTPS certificate files are actually being loaded (check proxy logs and the configured config directory path, especially under Docker where the prior entrypoint bug ignored custom paths), or explicitly disable HTTPS in configuration so the deployment posture is intentional rather than silently downgraded - note that explicitly disabling HTTPS still leaves traffic in cleartext and only helps if the proxy is on a trusted segment. As a network-layer compensating control, restrict the proxy to a loopback or isolated management network and front it with a reverse proxy that terminates TLS, accepting the operational cost of an extra hop.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34011