CVE-2025-70963
Published: 06 February 2026
Summary
CVE-2025-70963 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Getgophish Gophish. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 4.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Documenting information locations and authorized users enables better protection against unauthorized exposure of sensitive data.
Requiring equivalent controls at the alternate storage site prevents unauthorized exposure of sensitive backup data.
Protecting confidentiality of backup information prevents unauthorized exposure of sensitive data stored in backups.
Policies mandate protection of CUI on external systems, directly reducing unauthorized exposure of sensitive information.
Categorization identifies sensitive data so that confidentiality protections commensurate with impact level are selected and documented.
Encrypting or otherwise protecting data at rest directly prevents unauthorized actors from reading sensitive information stored on disk or other media.
Fragmentation across systems ensures that exposure from any single component yields only incomplete information, directly reducing the impact of unauthorized disclosure.
OPSEC controls directly protect supply chain information from unauthorized observation or disclosure.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly exposes long-lived API keys in client-side HTML/JS, enabling theft of application access tokens by any browser-context script.
NVD Description
Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the…
more
browser context.
Deeper analysisAI
CVE-2025-70963 is an incorrect access control vulnerability (CWE-200, CWE-922) affecting Gophish versions <=0.12.1. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context. The vulnerability has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L) and was published on 2026-02-06T18:15:55.510.
The attack requires low-privileged access (PR:L) over the network (AV:N) with low attack complexity (AC:L) and user interaction (UI:R), such as logging into the dashboard. Once a victim authenticates, any script executing in the browser context can extract the exposed API key. Attackers with the key can achieve high confidentiality and integrity impacts (C:H/I:H) along with low availability impact (A:L), enabling unauthorized actions via the Gophish API.
Mitigation details are available in the GitHub issue at https://github.com/gophish/gophish/issues/9366.
Details
- CWE(s)