EUVD-2025-208954
GHSA-2926-f789-68jv
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Description
Census CSWeb 8.0.1 allows "app/config" to be reachable via HTTP in some deployments. A remote, unauthenticated attacker could send requests to configuration files and obtain leaked secrets. Fixed in 8.1.0 alpha.
Analysis
Census CSWeb 8.0.1 contains an information disclosure vulnerability where the app/config endpoint is reachable via HTTP without authentication in certain deployments, allowing remote attackers to retrieve sensitive configuration data including secrets. This vulnerability has a CVSS score of 9.1 (Critical) and affects Census CSWeb versions prior to 8.1.0 alpha. A public proof-of-concept exploit is available on GitHub (https://github.com/hx381/cspro-exploits), significantly increasing the risk of active exploitation.
Technical Context
Census CSWeb is a web-based data dissemination system for census and survey data. The vulnerability affects CSWeb version 8.0.1 (CPE: cpe:2.3:a:census:csweb:*:*:*:*:*:*:*:*) and stems from CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The root cause is improper access control on the app/config directory structure, which allows HTTP requests to reach configuration files that should be restricted. In certain deployment configurations, these configuration endpoints are exposed to the network without requiring authentication, enabling unauthorized access to potentially sensitive application settings, database credentials, API keys, and other secrets stored in configuration files.
Affected Products
Census CSWeb versions 8.0.1 and earlier are affected by this vulnerability, as confirmed via CPE identifier cpe:2.3:a:census:csweb:*:*:*:*:*:*:*:*. The vulnerability is documented to be fixed in version 8.1.0 alpha. The issue specifically impacts deployments where the app/config endpoint is exposed via HTTP, which appears to be a configuration-dependent scenario rather than affecting all installations universally. Organizations should verify their deployment configuration to determine if the vulnerable endpoint is accessible. The fix commit is available at https://github.com/csprousers/csweb/commit/eba0b59a243390a1a4f9524cce6dbc0314bf0d91 and a CISA CSAF advisory is published at https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-082-01.json.
Remediation
Immediately upgrade Census CSWeb to version 8.1.0 alpha or later, which addresses this vulnerability as documented in the GitHub commit at https://github.com/csprousers/csweb/commit/eba0b59a243390a1a4f9524cce6dbc0314bf0d91. Until patching is complete, implement immediate compensating controls including configuring web server or reverse proxy rules to explicitly deny access to the app/config path for all external requests, restricting CSWeb access to trusted IP ranges only via firewall rules, and ensuring the application is not directly exposed to the internet. Review application configuration files for any exposed secrets and rotate all credentials, API keys, and tokens that may have been accessible through this vulnerability. Consult the CISA CSAF advisory at https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-082-01.json for additional guidance and consider implementing network segmentation to isolate CSWeb instances from untrusted networks.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today