macOS
CVE-2026-32810
MEDIUM
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Halloy is an IRC application written in Rust. In versions on \*nix and macOS prior to commit f180e41061db393acf65bc99f5c5e7397586d9cb, halloy creates its config directory and files using default umask permissions, which typically results in 0644 on files and 0755 on directories. This allows any local user on the system to read plaintext credentials stored in config.toml or referenced password_file paths. Commit f180e41061db393acf65bc99f5c5e7397586d9cb patches the issue.
AnalysisAI
Halloy, an IRC application written in Rust, fails to properly restrict file permissions on its configuration directory and files on *nix and macOS systems prior to commit f180e41061db393acf65bc99f5c5e7397586d9cb, resulting in world-readable access to plaintext credentials. Any local user on an affected system can read sensitive authentication data stored in config.toml or referenced password files, leading to credential compromise. While no CVSS score or EPSS data is currently available, the vulnerability represents a direct information disclosure risk with low exploitation complexity.
Technical ContextAI
Halloy is a Rust-based IRC client (CPE: cpe:2.3:a:squidowl:halloy:*:*:*:*:*:*:*:*) that stores configuration data including plaintext credentials in user-accessible directories. The vulnerability stems from CWE-732 (Incorrect Permission Assignment for Critical Resource), where the application relies on default system umask settings rather than explicitly enforcing restrictive file permissions. On typical Unix-like systems, default umask results in file permissions of 0644 (readable by all users) and directory permissions of 0755 (traversable and readable by all users). This is a common misconfiguration in multi-user environments where local privilege separation is essential, and the Rust standard library and file I/O operations do not automatically enforce tighter permissions without explicit developer intervention.
RemediationAI
Update Halloy to a version released after commit f180e41061db393acf65bc99f5c5e7397586d9cb, which patches the permission assignment issue by explicitly setting restrictive file and directory permissions during creation. Refer to the vendor security advisory at https://github.com/squidowl/halloy/security/advisories/GHSA-x5j2-fr4h-9p7g and https://github.com/squidowl/halloy/commit/f180e41061db393acf65bc99f5c5e7397586d9cb for exact patched versions and deployment guidance. As an interim workaround on affected systems, manually restrict permissions on the Halloy config directory (typically ~/.config/halloy or similar) to 0700 (owner-only access) and all files within to 0600 using chmod commands; however, this must be applied manually after each configuration change and is not a permanent fix. The preferred and definitive remedy is to upgrade to the patched version.
An unauthenticated remote code execution vulnerability exists in Remote for Mac, a macOS remote control utility develope
A use-after-free issue was addressed with improved memory management. Rated high severity (CVSS 8.8), this vulnerability
Apple's kernel across all platforms (iOS, macOS, watchOS, visionOS, tvOS) contains a memory corruption vulnerability (CV
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
The issue was addressed with improved checks. Rated high severity (CVSS 7.0). Actively exploited in the wild (cisa kev)
A logic issue was addressed with improved restrictions. Rated high severity (CVSS 7.8), this vulnerability is no authent
In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environmen
A race condition was addressed with additional validation. Rated high severity (CVSS 7.0), this vulnerability is no auth
This issue was addressed with improved checks. Rated critical severity (CVSS 10.0), this vulnerability is remotely explo
When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data t
When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today