CVE-2025-70963
Published: 06 February 2026
Summary
CVE-2025-70963 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Getgophish Gophish. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2025-70963 is an incorrect access control vulnerability (CWE-200, CWE-922) affecting Gophish versions <=0.12.1. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context. The vulnerability has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L) and was published on 2026-02-06T18:15:55.510.
The attack requires low-privileged access (PR:L) over the network (AV:N) with low attack complexity (AC:L) and user interaction (UI:R), such as logging into the dashboard. Once a victim authenticates, any script executing in the browser context can extract the exposed API key. Attackers with the key can achieve high confidentiality and integrity impacts (C:H/I:H) along with low availability impact (A:L), enabling unauthorized actions via the Gophish API.
Mitigation details are available in the GitHub issue at https://github.com/gophish/gophish/issues/9366.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206883
Vulnerability details
Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the…
more
browser context.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly exposes long-lived API keys in client-side HTML/JS, enabling theft of application access tokens by any browser-context script.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to sensitive information, directly preventing the exposure of long-lived API keys in the rendered HTML/JavaScript of the administrative dashboard.
Requires protection of authenticator content from unauthorized disclosure and modification, addressing the embedding of permanent API credentials accessible to browser scripts.
Implements information output filtering to identify and block sensitive data like API keys from being transmitted in dashboard responses to the browser context.