Skip to main content

Cveclient Encrypt Storage Js EUVDEUVD-2026-18554

| CVE-2026-35467 HIGH
Insufficiently Protected Credentials (CWE-522)
2026-04-02 certcc
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:07 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.1.15
EUVD ID Assigned
Apr 02, 2026 - 21:01 euvd
EUVD-2026-18554
Analysis Generated
Apr 02, 2026 - 21:01 vuln.today
CVE Published
Apr 02, 2026 - 20:27 nvd
HIGH 7.5

DescriptionCVE.org

The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials.

AnalysisAI

Stored API keys in CERT/CC's cveClient encrypt-storage.js are not marked as protected in browser temporary storage, enabling extraction of encryption credentials through JavaScript console access or error messages. Attackers with local access to a user's browser environment can retrieve sensitive API keys without authentication, affecting all versions before 1.1.15.

Technical ContextAI

The vulnerability exists in the encrypt-storage.js module of CERT/CC's cveClient application, which handles client-side encryption credential storage in temporary browser memory or session storage. The root cause is classified under CWE-522 (Insufficiently Protected Credentials), indicating that API keys and encryption material are stored without proper protection mechanisms such as marking sensitive data structures with non-serializable flags, secure context restrictions, or memory protection. Modern browsers expose stored data via developer tools and error stack traces when credentials are not explicitly protected; the absence of protections allows JavaScript running in the same origin (via console, debugger, or error handlers) to directly access these credentials. This is a client-side data exposure issue affecting the JavaScript runtime environment rather than a backend vulnerability.

RemediationAI

Vendor-released patch: cveClient version 1.1.15 or later includes fixes to protect stored API keys with appropriate browser storage protections. Users should upgrade to cveClient 1.1.15 or newer immediately. No workarounds are documented for earlier versions; if immediate upgrade is not feasible, restrict browser developer tool access and avoid storing API keys in temporary browser session storage. See CERT/CC's GitHub pull request #39 (https://github.com/CERTCC/cveClient/pull/39) and main repository (https://github.com/CERTCC/cveClient/) for patch details and installation instructions. The NVD advisory (https://nvd.nist.gov/vuln/detail/CVE-2026-35467) provides additional context.

Share

EUVD-2026-18554 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy