Skip to main content

Nextflow CVE-2026-48722

MEDIUM
Incorrect Default Permissions (CWE-276)
2026-06-25 https://github.com/nextflow-io/nextflow GHSA-92qf-fcph-v5wr
5.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.5 MEDIUM

Local low-privileged shell access required to read the credential file; sole measurable impact is confidentiality of the stored bearer token with no integrity or availability effect.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 25, 2026 - 22:38 vuln.today
Analysis Generated
Jun 25, 2026 - 22:38 vuln.today

DescriptionGitHub Advisory

Impact

nextflow auth login persists Seqera Platform OIDC tokens to ${NXF_HOME:-~/.nextflow}/seqera-auth.config. The file is created via Java NIO without specifying file permissions, so under the default umask 022 it lands at mode 0644 (world-readable).

On a multi-user POSIX host - typically an HPC login node, shared workstation, or jump host - any local user able to traverse the victim's home directory can read the file and obtain a valid Platform bearer token, enabling impersonation against Seqera Platform within the token's scope.

Single-user systems and headless CI runners, which do not invoke the interactive login flow, are not affected.

Affected versions: 25.09.2-edge through 26.04.1.

Patches

Fixed in <PATCHED_VERSION>. The patched code applies mode 0600 to seqera-auth.config immediately after writing it, and re-applies on every subsequent login so any pre-existing world-readable copy left by an earlier version is tightened.

Tokens previously stored in the file must be treated as disclosed. After upgrading, run nextflow auth logout, revoke the token in the Seqera Platform UI, and run nextflow auth login again.

Workarounds

Restrict the file and its parent directory:

chmod 600 "${NXF_HOME:-$HOME/.nextflow}/seqera-auth.config" chmod 700 "${NXF_HOME:-$HOME/.nextflow}"

Alternatively, supply the Platform token via the TOWER_ACCESS_TOKEN environment variable instead of running nextflow auth login.

References

  • https://cwe.mitre.org/data/definitions/276.html

AnalysisAI

Insecure default file permissions in Nextflow's auth login command expose Seqera Platform OIDC bearer tokens to any local user on shared POSIX systems running affected versions 25.09.2-edge through 26.04.1. The credential file seqera-auth.config is written via Java NIO without explicit permission bits, landing at mode 0644 under the typical umask 022, making it world-readable on HPC login nodes, shared workstations, and jump hosts - exactly the infrastructure where Nextflow is most commonly deployed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local shell account on shared HPC node
Delivery
Identify victim who ran nextflow auth login
Exploit
Traverse world-executable home directory
Execution
Read world-readable seqera-auth.config
Persist
Extract Seqera Platform bearer token
Impact
Impersonate victim against Seqera Platform API

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following to be true simultaneously: (1) the victim has run `nextflow auth login` at least once on a Nextflow version between 25.09.2-edge and 26.04.1, generating a `seqera-auth.config` file; (2) the attacker holds a local shell account on the same multi-user POSIX host; (3) the victim's home directory is world-traversable (execute bit set for others - mode 711 or 755, which is the default on most Linux distributions and HPC systems). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (score 5.5) accurately characterizes the threat: local access is mandatory, no privilege escalation is needed beyond a standard shell account, exploitation is low-complexity, and the sole impact is complete confidentiality loss of the stored credential. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged user on a shared bioinformatics HPC login node - where dozens of researchers share a single system to submit Nextflow jobs - notices that a colleague's home directory is world-traversable. The attacker runs `cat ~victim/.nextflow/seqera-auth.config` and immediately obtains a valid Seqera Platform bearer token requiring no special tools or privilege. …
Remediation Upgrade to Nextflow 25.10.6 (25.x branch) or 26.04.3 (26.x branch); these releases apply mode 0600 to `seqera-auth.config` immediately after writing and re-apply the restriction on every subsequent login, also correcting any pre-existing world-readable copy created by a vulnerable version. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-48722 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy