Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable API exploitable by a low-privilege authenticated account (PR:L), no user interaction, yielding cleartext credential disclosure (C:H) with no integrity or availability impact.
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Parseable before 2.9.2 contains an information disclosure vulnerability in the notification-target API endpoints that returns webhook tokens and basic-auth credentials in cleartext due to commented-out secret-masking functionality. Any authenticated user with the GetAlert action, including low-privilege reader roles, can recover credentials and internal endpoint URLs for all configured notification targets by querying GET /api/v1/targets or related endpoints.
AnalysisAI
Cleartext credential exposure in Parseable before 2.9.2 lets any authenticated user holding the GetAlert action - including low-privilege reader roles - retrieve webhook tokens, basic-auth credentials, and internal endpoint URLs for every configured notification target by calling GET /api/v1/targets. The exposure stems from secret-masking logic that was commented out, so the API serializes stored secrets verbatim. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated Parseable account (any role) that has been granted the GetAlert action - explicitly including low-privilege reader roles - plus at least one notification target (webhook or basic-auth HTTP target) already configured with stored credentials; an instance with no notification targets defined has nothing to leak. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N, base 7.1) is internally consistent with the description: network-reachable API, low complexity, low privileges (an authenticated reader), no user interaction, and a high confidentiality impact with no integrity or availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A user provisioned with only a low-privilege reader role (or an attacker who has phished or compromised such an account) sends GET /api/v1/targets to the Parseable API over the network. The response returns every notification target's webhook token and basic-auth credentials in cleartext, which the attacker harvests to authenticate directly against the organization's Slack, PagerDuty, or internal HTTP receivers. … |
| Remediation | Upgrade to the vendor-released patch: Parseable v2.9.2 (https://github.com/parseablehq/parseable/releases/tag/v2.9.2), which restores the secret-masking behaviour removed by the commented-out code (fix in PR #1698 / commit f307c4989cc9f3ff4204fd383dec7a39924e6b2a). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory Parseable deployments and audit which users hold GetAlert permissions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-522 – Insufficiently Protected Credentials
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40159
GHSA-9cf6-6j4g-mw9r