CVE-2026-29023
Published: 09 March 2026
Summary
CVE-2026-29023 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Enables users to notice when hard-coded credentials have been exploited for unauthorized access.
Security training explicitly warns against hard-coded credentials, lowering their use in systems.
Policy and procedures prohibit hard-coded credentials in favor of managed authentication.
External identity providers eliminate the need for hard-coded credentials in applications.
Changing default authenticators prior to first use and protecting content prevents use of hard-coded credentials.
Central credential stores and rotation policies remove the need for hard-coded credentials in configuration files or code.
Intelligence programs surface reports of campaigns that abuse hard-coded credentials in products, prompting removal or replacement and thereby reducing successful exploitation.
Planned investment enables secure credential storage and management systems instead of hard-coded credentials.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hard-coded API key in network-exposed router enables unauthenticated remote exploitation of public-facing app (T1190) and direct use of valid credentials (T1078); post-auth proxying of upstream provider requests facilitates proxy abuse (T1090).
NVD Description
Keygraph Shannon contains a hard-coded API key in its router configuration that, when the router component is enabled and exposed, allows network attackers to authenticate using the publicly known static key. An attacker able to reach the router port can…
more
proxy requests through the Shannon instance using the victim’s configured upstream provider API credentials, resulting in unauthorized API usage and potential disclosure of proxied request and response data. This vulnerability's general exploitability has been mitigated with the introduction of commit 023cc95.
Deeper analysisAI
CVE-2026-29023 is a use of hard-coded credentials vulnerability (CWE-798) in Keygraph Shannon, an open-source tool, specifically within its router configuration. The issue involves a static API key embedded in the code, which becomes exploitable when the router component is enabled and exposed to the network. This flaw has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and low complexity.
Network-based attackers who can reach the exposed router port can authenticate using the publicly known hard-coded API key. Once authenticated, they can proxy arbitrary requests through the Shannon instance, leveraging the victim's configured upstream provider API credentials. This enables unauthorized API usage on the victim's behalf and potential interception or disclosure of proxied request and response data.
Mitigation is available through commit 023cc95 introduced in pull request #224 on the Keygraph Shannon GitHub repository, which addresses the general exploitability of the vulnerability. Additional details are documented in GitHub issue #186 and the VulnCheck advisory at https://www.vulncheck.com/advisories/keygraph-shannon-hard-coded-router-api-key.
Details
- CWE(s)