Skip to main content

TheHive CVE-2026-63098

| EUVDEUVD-2026-45196 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-07-17 VulnCheck GHSA-f4pj-hh6r-99c8
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Network-reachable endpoint requires no authentication (AV:N, PR:N, AC:L); confidentiality impact is low (C:L) as disclosure is configuration data, not full system access; no integrity or availability impact applies.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 17, 2026 - 16:19 vuln.today
CVE Published
Jul 17, 2026 - 15:38 cve.org
MEDIUM 6.9

DescriptionCVE.org

TheHive through 4.1.24 contains an unauthenticated information disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration data by sending a GET request to the /api/status endpoint, which lacks authentication enforcement in the StatusCtrl.scala handler. Attackers can obtain the datastore attachment protection password, configured authentication providers, SSO settings, MFA capabilities, and clustered node addresses and roles without any credentials.

AnalysisAI

Unauthenticated information disclosure in TheHive through 4.1.24 exposes sensitive configuration data - including the datastore attachment protection password, SSO settings, MFA capabilities, and clustered node addresses - to any network-reachable attacker via a single GET request to /api/status. The root cause is a missing authentication gate in the StatusCtrl.scala handler, a CWE-306 class defect. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover network-accessible TheHive instance
Delivery
Send unauthenticated GET /api/status request
Exploit
Parse JSON response for credentials and config
Execution
Extract datastore attachment password and SSO provider settings
Impact
Reuse credentials against connected SOC infrastructure

Vulnerability AssessmentAI

Exploitation TheHive must be running a version at or below 4.1.24, and the /api/status endpoint must be network-reachable from the attacker - this is the case in any internet-facing or intranet-accessible deployment, as the endpoint is present in the default installation with no special configuration required to enable it. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N reflects low attack complexity and zero authentication requirement, meaning exploitation is reachable by any actor with network access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies a network-accessible TheHive instance and issues a single HTTP GET request to /api/status, receiving a JSON response containing the datastore attachment protection password, SSO configuration, authentication provider list, MFA capability flags, and cluster node roles. A public POC hosted on GitHub documents this exact technique, making it reachable by low-skilled attackers. …
Remediation No vendor-released patched version has been identified in the available data - the fix version is unconfirmed and should be verified directly with the TheHive project at their official repository. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-63098 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy