Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
10DescriptionCVE.org
Reserved. Details will be published at disclosure.
AnalysisAI
Information disclosure in Cribl Stream versions prior to 4.17.1 allows authenticated remote attackers with low privileges to obtain sensitive data when a user interacts with attacker-supplied content, per CVSS 4.0 vector AV:N/AC:L/PR:L/UI:A. The flaw, classified as CWE-20 (Improper Input Validation), carries a CVSS base score of 8.4 reflecting high confidentiality and integrity impact, but EPSS is only 0.02% (5th percentile) and CISA SSVC reports no observed exploitation. No public exploit identified at time of analysis.
Technical ContextAI
Cribl Stream is an observability data pipeline used to collect, route, and transform logs, metrics, and events between sources and analytics destinations such as SIEMs and data lakes. The CPE cpe:2.3:a:cribl:cribl_stream identifies the affected product line, and the CWE-20 (Improper Input Validation) classification indicates the root cause is the application accepting or processing input without sufficient validation, allowing a low-privileged authenticated user - combined with a victim interaction - to coerce the application into disclosing or altering data it should not. Because Stream typically processes high-sensitivity telemetry (security logs, API tokens routed in pipelines, customer event data), an input-validation flaw in this control plane has outsized confidentiality consequences relative to a generic web app.
RemediationAI
Upgrade Cribl Stream to version 4.17.1 or later, which Cribl identifies in the v4.17.1 release notes (https://docs.cribl.io/stream/release-notes/release-v4171#security-fixes) as containing the security fix; this is the primary and vendor-recommended remediation. Until upgrade is completed, restrict Cribl Stream UI and API access to a trusted management network and tighten role assignments so that the PR:L precondition cannot be met by general users - review any non-admin accounts and remove unnecessary low-privileged access, accepting the trade-off that downstream pipeline operators may lose self-service capability. Because exploitation requires UI:A (user interaction), brief Stream administrators and editors to avoid interacting with unsolicited content or links presented inside the Stream console until patched, and monitor Cribl's trust notification page at https://trust.cribl.io/notifications for any post-disclosure indicators of compromise.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29357
GHSA-6gcc-j9m6-4752