Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
AC:H reflects the requirement for on-path position or compromised destination; C:L because leaked credentials are scoped to configured service keys, not system-wide data.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Apprise is an open source library which allows you to send a notification to almost all of the most popular notification services available. Prior to 1.11.0, Apprise HTTP-based notification plugins and HTTP attachment and config loaders in apprise/attachment/http.py and apprise/config/http.py follow HTTP redirects by default and resend user-configured auth headers and query parameters on the redirected request, allowing a compromised trusted destination or on-path attacker to receive secrets such as Authorization headers, bearer tokens, custom headers, and service keys. This issue is fixed in version 1.11.0.
AnalysisAI
HTTP redirect handling in Apprise prior to 1.11.0 leaks user-configured secrets - including Authorization headers, bearer tokens, custom headers, and service API keys - by blindly resending them on redirected requests to attacker-controlled endpoints. Any deployment using Apprise's HTTP-based notification plugins or its HTTP attachment and config loaders (apprise/attachment/http.py, apprise/config/http.py) is affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires one of two conditions: the attacker must hold an on-path network position capable of injecting HTTP redirects into traffic between the Apprise host and its notification/config/attachment destination, OR the attacker must have compromised or control a server that is already a configured, trusted destination in the victim's Apprise setup (e.g., a webhook URL, a remote config URL, or a remote attachment URL). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 3.1 (Low) with vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N captures the technical constraints accurately: exploitation requires high attack complexity (on-path position or a compromised trusted notification destination) and user interaction (a user must configure Apprise to communicate with the redirecting endpoint). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has compromised a webhook receiver that a victim's Apprise instance is configured to notify - such as a third-party alerting service - configures that server to respond with an HTTP 301 redirect to an attacker-controlled URL. When Apprise sends a notification to the compromised endpoint, it follows the redirect and resends the original request's Authorization header and any configured bearer tokens or service API keys to the attacker's server. … |
| Remediation | Upgrade Apprise to version 1.11.0 or later; this is the vendor-confirmed fix (commit 68c0aef218055e4586cf4605fd6b56358f5f462d, PR #1610) available at https://github.com/caronc/apprise/releases/tag/v1.11.0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42940