EUVD-2026-17075CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Description
A sensitive information exposure vulnerability exists in ArthurFiorette steam-trader 2.1.1. An unauthenticated attacker can send a request to the /users API endpoint to retrieve highly sensitive Steam account data, including the account username, password, identity secret, and shared secret. In addition, application logs expose authentication artifacts such as access tokens, refresh tokens, and session identifiers. This information allows an attacker to generate valid Steam Guard (2FA) codes, hijack authenticated sessions, and obtain full control over the affected Steam account, including unauthorized access to inventory and trading functionality. No fix is available because the repository is archived and no longer maintained.
Analysis
ArthurFiorette steam-trader 2.1.1 exposes complete Steam account credentials through an unauthenticated API endpoint, enabling account takeover. Attackers can retrieve usernames, passwords, identity secrets, shared secrets, and session tokens via the /users endpoint without authentication (CVSS:3.1 AV:N/AC:L/PR:N). …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all systems running steam-trader 2.1.1 and isolate affected instances from production networks. Within 7 days: Decommission steam-trader 2.1.1 entirely or replace with actively maintained alternatives; force password resets for all compromised Steam accounts and audit access logs for the /users endpoint. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today