Skip to main content

Parseable EUVDEUVD-2026-40159

| CVE-2026-56783 HIGH
Insufficiently Protected Credentials (CWE-522)
2026-06-29 disclosure@vulncheck.com GHSA-9cf6-6j4g-mw9r
7.1
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable API exploitable by a low-privilege authenticated account (PR:L), no user interaction, yielding cleartext credential disclosure (C:H) with no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 29, 2026 - 19:01 EUVD
Analysis Generated
Jun 29, 2026 - 18:32 vuln.today

DescriptionCVE.org

Parseable before 2.9.2 contains an information disclosure vulnerability in the notification-target API endpoints that returns webhook tokens and basic-auth credentials in cleartext due to commented-out secret-masking functionality. Any authenticated user with the GetAlert action, including low-privilege reader roles, can recover credentials and internal endpoint URLs for all configured notification targets by querying GET /api/v1/targets or related endpoints.

AnalysisAI

Cleartext credential exposure in Parseable before 2.9.2 lets any authenticated user holding the GetAlert action - including low-privilege reader roles - retrieve webhook tokens, basic-auth credentials, and internal endpoint URLs for every configured notification target by calling GET /api/v1/targets. The exposure stems from secret-masking logic that was commented out, so the API serializes stored secrets verbatim. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege Parseable account
Delivery
Authenticate to REST API
Exploit
GET /api/v1/targets with GetAlert permission
Execution
Receive webhook tokens and basic-auth creds cleartext
Impact
Reuse credentials against downstream services

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated Parseable account (any role) that has been granted the GetAlert action - explicitly including low-privilege reader roles - plus at least one notification target (webhook or basic-auth HTTP target) already configured with stored credentials; an instance with no notification targets defined has nothing to leak. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N, base 7.1) is internally consistent with the description: network-reachable API, low complexity, low privileges (an authenticated reader), no user interaction, and a high confidentiality impact with no integrity or availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user provisioned with only a low-privilege reader role (or an attacker who has phished or compromised such an account) sends GET /api/v1/targets to the Parseable API over the network. The response returns every notification target's webhook token and basic-auth credentials in cleartext, which the attacker harvests to authenticate directly against the organization's Slack, PagerDuty, or internal HTTP receivers. …
Remediation Upgrade to the vendor-released patch: Parseable v2.9.2 (https://github.com/parseablehq/parseable/releases/tag/v2.9.2), which restores the secret-masking behaviour removed by the commented-out code (fix in PR #1698 / commit f307c4989cc9f3ff4204fd383dec7a39924e6b2a). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory Parseable deployments and audit which users hold GetAlert permissions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40159 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy