Skip to main content

Steam Trader CVE-2026-5128

| EUVDEUVD-2026-17075 CRITICAL
Information Exposure (CWE-200)
2026-03-30 TuranSec
10.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 30, 2026 - 10:00 euvd
EUVD-2026-17075
Analysis Generated
Mar 30, 2026 - 10:00 vuln.today
CVE Published
Mar 30, 2026 - 09:18 nvd
CRITICAL 10.0

DescriptionCVE.org

A sensitive information exposure vulnerability exists in ArthurFiorette steam-trader 2.1.1. An unauthenticated attacker can send a request to the /users API endpoint to retrieve highly sensitive Steam account data, including the account username, password, identity secret, and shared secret. In addition, application logs expose authentication artifacts such as access tokens, refresh tokens, and session identifiers. This information allows an attacker to generate valid Steam Guard (2FA) codes, hijack authenticated sessions, and obtain full control over the affected Steam account, including unauthorized access to inventory and trading functionality. No fix is available because the repository is archived and no longer maintained.

AnalysisAI

ArthurFiorette steam-trader 2.1.1 exposes complete Steam account credentials through an unauthenticated API endpoint, enabling account takeover. Attackers can retrieve usernames, passwords, identity secrets, shared secrets, and session tokens via the /users endpoint without authentication (CVSS:3.1 AV:N/AC:L/PR:N). This critical vulnerability (CVSS 10.0) allows generation of valid Steam Guard 2FA codes and complete account hijacking. EPSS data unavailable, no CISA KEV listing, and critically: no patch exists as the repository is archived and unmaintained. Authentication bypass and information disclosure tags confirm trivial exploitation requiring only network access.

Technical ContextAI

The vulnerability affects steam-trader (CPE: cpe:2.3:a:arthurfiorette:steam-trader:*:*:*:*:*:*:*:*), a Node.js library for automating Steam trading operations. The root cause falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), specifically an access control failure on the /users API endpoint. The application stores and exposes authentication secrets required for Steam's authentication flow, including identity_secret and shared_secret parameters used in Steam Guard mobile authenticator implementations (RFC 6238 TOTP-based 2FA). The exposed authentication artifacts (access tokens, refresh tokens, session identifiers) represent OAuth 2.0 bearer tokens that grant immediate authenticated access without requiring credential verification. Application logs compound the exposure by persisting these secrets in plaintext, creating multiple attack vectors for credential harvesting.

RemediationAI

No vendor-released patch exists and none will be developed as the repository is permanently archived and unmaintained. Organizations must immediately remove all deployments of steam-trader 2.1.1 from production environments. Conduct emergency inventory scans to identify any applications using this package as a dependency (check package.json, package-lock.json, or yarn.lock files). Revoke and rotate all Steam account credentials that were exposed through this application, including generating new identity secrets and shared secrets through Steam's account security settings. Invalidate all active sessions and authentication tokens for affected accounts. For organizations requiring Steam trading automation, migrate to actively maintained alternatives with security audit history, or develop in-house solutions with proper authentication controls, secret management (encrypted storage, environment variables), and API endpoint authorization. Review application logs for evidence of unauthorized /users endpoint access and assess potential account compromise. No workaround exists for securing the vulnerable version-complete removal is mandatory.

Share

CVE-2026-5128 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy