CVE-2026-29023
Published: 09 March 2026
Summary
CVE-2026-29023 is a medium-severity Use of Hard-coded Credentials (CWE-798) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-29023 is a use of hard-coded credentials vulnerability (CWE-798) in Keygraph Shannon, an open-source tool, specifically within its router configuration. The issue involves a static API key embedded in the code, which becomes exploitable when the router component is enabled and exposed to the network. This flaw has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and low complexity.
Network-based attackers who can reach the exposed router port can authenticate using the publicly known hard-coded API key. Once authenticated, they can proxy arbitrary requests through the Shannon instance, leveraging the victim's configured upstream provider API credentials. This enables unauthorized API usage on the victim's behalf and potential interception or disclosure of proxied request and response data.
Mitigation is available through commit 023cc95 introduced in pull request #224 on the Keygraph Shannon GitHub repository, which addresses the general exploitability of the vulnerability. Additional details are documented in GitHub issue #186 and the VulnCheck advisory at https://www.vulncheck.com/advisories/keygraph-shannon-hard-coded-router-api-key.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10344
Vulnerability details
Keygraph Shannon contains a hard-coded API key in its router configuration that, when the router component is enabled and exposed, allows network attackers to authenticate using the publicly known static key. An attacker able to reach the router port can…
more
proxy requests through the Shannon instance using the victim’s configured upstream provider API credentials, resulting in unauthorized API usage and potential disclosure of proxied request and response data. This vulnerability's general exploitability has been mitigated with the introduction of commit 023cc95.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hard-coded API key in network-exposed router enables unauthenticated remote exploitation of public-facing app (T1190) and direct use of valid credentials (T1078); post-auth proxying of upstream provider requests facilitates proxy abuse (T1090).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires management of authenticators so that static, hard-coded API keys are never embedded in router configuration or source code.
Boundary-protection rules can block network exposure of the router port, eliminating the attack surface that allows use of the known key.
Enforces access-control decisions that would reject authentication attempts using a publicly known static key instead of per-instance credentials.