Nextflow CVE-2026-48722
MEDIUMSeverity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Local low-privileged shell access required to read the credential file; sole measurable impact is confidentiality of the stored bearer token with no integrity or availability effect.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Impact
nextflow auth login persists Seqera Platform OIDC tokens to ${NXF_HOME:-~/.nextflow}/seqera-auth.config. The file is created via Java NIO without specifying file permissions, so under the default umask 022 it lands at mode 0644 (world-readable).
On a multi-user POSIX host - typically an HPC login node, shared workstation, or jump host - any local user able to traverse the victim's home directory can read the file and obtain a valid Platform bearer token, enabling impersonation against Seqera Platform within the token's scope.
Single-user systems and headless CI runners, which do not invoke the interactive login flow, are not affected.
Affected versions: 25.09.2-edge through 26.04.1.
Patches
Fixed in <PATCHED_VERSION>. The patched code applies mode 0600 to seqera-auth.config immediately after writing it, and re-applies on every subsequent login so any pre-existing world-readable copy left by an earlier version is tightened.
Tokens previously stored in the file must be treated as disclosed. After upgrading, run nextflow auth logout, revoke the token in the Seqera Platform UI, and run nextflow auth login again.
Workarounds
Restrict the file and its parent directory:
chmod 600 "${NXF_HOME:-$HOME/.nextflow}/seqera-auth.config" chmod 700 "${NXF_HOME:-$HOME/.nextflow}"
Alternatively, supply the Platform token via the TOWER_ACCESS_TOKEN environment variable instead of running nextflow auth login.
References
- https://cwe.mitre.org/data/definitions/276.html
AnalysisAI
Insecure default file permissions in Nextflow's auth login command expose Seqera Platform OIDC bearer tokens to any local user on shared POSIX systems running affected versions 25.09.2-edge through 26.04.1. The credential file seqera-auth.config is written via Java NIO without explicit permission bits, landing at mode 0644 under the typical umask 022, making it world-readable on HPC login nodes, shared workstations, and jump hosts - exactly the infrastructure where Nextflow is most commonly deployed. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of the following to be true simultaneously: (1) the victim has run `nextflow auth login` at least once on a Nextflow version between 25.09.2-edge and 26.04.1, generating a `seqera-auth.config` file; (2) the attacker holds a local shell account on the same multi-user POSIX host; (3) the victim's home directory is world-traversable (execute bit set for others - mode 711 or 755, which is the default on most Linux distributions and HPC systems). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (score 5.5) accurately characterizes the threat: local access is mandatory, no privilege escalation is needed beyond a standard shell account, exploitation is low-complexity, and the sole impact is complete confidentiality loss of the stored credential. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged user on a shared bioinformatics HPC login node - where dozens of researchers share a single system to submit Nextflow jobs - notices that a colleague's home directory is world-traversable. The attacker runs `cat ~victim/.nextflow/seqera-auth.config` and immediately obtains a valid Seqera Platform bearer token requiring no special tools or privilege. … |
| Remediation | Upgrade to Nextflow 25.10.6 (25.x branch) or 26.04.3 (26.x branch); these releases apply mode 0600 to `seqera-auth.config` immediately after writing and re-apply the restriction on every subsequent login, also correcting any pre-existing world-readable copy created by a vulnerable version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-276 – Incorrect Default Permissions
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-92qf-fcph-v5wr