Cyber Posture

CVE-2026-28678

High

Published: 07 March 2026

Published
07 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0003 8.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28678 is a high-severity Missing Encryption of Sensitive Data (CWE-311) vulnerability in Toxicbishop Dsa Study Hub. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 8.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-13 (Cryptographic Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Steal Application Access Token (T1528) and 5 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-13 Cryptographic Protection good match
prevent

Implements cryptographic mechanisms to protect sensitive data such as unencrypted JWT payloads in cookies from unauthorized disclosure and modification.

IA-5 Authenticator Management good match
prevent

Requires management and protection of authenticators like JWT tokens from unauthorized disclosure, directly addressing insufficient protection of credentials in cookies.

SC-8 Transmission Confidentiality and Integrity good match
prevent

Protects confidentiality and integrity of transmitted information, mitigating network interception of unprotected HTTP cookies containing JWTs.

MITRE ATT&CK Enterprise TechniquesAI

T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
attack.mitre.org →
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
attack.mitre.org →
T1550.001 Application Access Token Lateral Movement
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems.
attack.mitre.org →
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
attack.mitre.org →
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
attack.mitre.org →
Why these techniques?

Vulnerability exposes JWT auth tokens in unprotected cookies, directly enabling theft of application access tokens/web session cookies (T1528/T1539), browser session hijacking (T1185), and reuse for valid account access or alternate authentication material (T1078/T1550.001/T1550.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

DSA Study Hub is an interactive educational web application. Prior to commit d527fba, the user authentication system in server/routes/auth.js was found to be vulnerable to Insufficiently Protected Credentials. Authentication tokens (JWTs) were stored in HTTP cookies without cryptographic protection of…

more

the payload. This issue has been patched via commit d527fba.

Deeper analysisAI

CVE-2026-28678 affects DSA Study Hub, an interactive educational web application, specifically the user authentication system in server/routes/auth.js prior to commit d527fba. The vulnerability involves insufficiently protected credentials, where authentication tokens in the form of JSON Web Tokens (JWTs) are stored in HTTP cookies without cryptographic protection of the payload. This flaw, mapped to CWE-311 (Missing Encryption of Sensitive Data) and CWE-522 (Insufficiently Protected Credentials), received a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and was published on 2026-03-07.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity but requires user interaction, such as tricking a victim into accessing a malicious resource. By intercepting or accessing the unprotected HTTP cookie containing the JWT, the attacker can decode the exposed payload to extract sensitive authentication data. This enables high-impact confidentiality violations, such as credential theft, and integrity violations, including token manipulation for unauthorized access or impersonation, without affecting availability.

The GitHub security advisory (GHSA-vmxr-562h-rcgg) and patch commit (d527fba3b3c15f185b9d1e730322dff9248391e4) confirm mitigation through updates to the DSA-with-tsx repository that add cryptographic protection to the JWT payload in cookies. Security practitioners should ensure deployments update to or beyond commit d527fba and verify cookie handling practices, such as enforcing HTTPS and secure/httponly flags where applicable.

Details

CWE(s)
CWE-311CWE-522

Affected Products

toxicbishop
dsa study hub
≤ 2026-02-21

CVEs Like This One

CVE-2025-0498Shared CWE-522
CVE-2026-32913Shared CWE-522
CVE-2025-29314Shared CWE-311
CVE-2025-0477Shared CWE-522
CVE-2025-0497Shared CWE-522
CVE-2026-39462Shared CWE-522
CVE-2025-69271Shared CWE-522
CVE-2026-23658Shared CWE-522
CVE-2025-25650Shared CWE-522
CVE-2025-27650Shared CWE-522

References