Cyber Resilience

CVE-2026-29023

MediumPublic PoC

Published: 09 March 2026

Published
09 March 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0006 18.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29023 is a medium-severity Use of Hard-coded Credentials (CWE-798) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-29023 is a use of hard-coded credentials vulnerability (CWE-798) in Keygraph Shannon, an open-source tool, specifically within its router configuration. The issue involves a static API key embedded in the code, which becomes exploitable when the router component is enabled and exposed to the network. This flaw has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and low complexity.

Network-based attackers who can reach the exposed router port can authenticate using the publicly known hard-coded API key. Once authenticated, they can proxy arbitrary requests through the Shannon instance, leveraging the victim's configured upstream provider API credentials. This enables unauthorized API usage on the victim's behalf and potential interception or disclosure of proxied request and response data.

Mitigation is available through commit 023cc95 introduced in pull request #224 on the Keygraph Shannon GitHub repository, which addresses the general exploitability of the vulnerability. Additional details are documented in GitHub issue #186 and the VulnCheck advisory at https://www.vulncheck.com/advisories/keygraph-shannon-hard-coded-router-api-key.

EU & UK References

Vulnerability details

Keygraph Shannon contains a hard-coded API key in its router configuration that, when the router component is enabled and exposed, allows network attackers to authenticate using the publicly known static key. An attacker able to reach the router port can…

more

proxy requests through the Shannon instance using the victim’s configured upstream provider API credentials, resulting in unauthorized API usage and potential disclosure of proxied request and response data. This vulnerability's general exploitability has been mitigated with the introduction of commit 023cc95.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1090 Proxy Command And Control
Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure.
Why these techniques?

Hard-coded API key in network-exposed router enables unauthenticated remote exploitation of public-facing app (T1190) and direct use of valid credentials (T1078); post-auth proxying of upstream provider requests facilitates proxy abuse (T1090).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-1393Shared CWE-798
CVE-2025-8857Shared CWE-798
CVE-2025-37103Shared CWE-798
CVE-2025-2538Shared CWE-798
CVE-2026-9139Shared CWE-798
CVE-2026-28255Shared CWE-798
CVE-2025-42890Shared CWE-798
CVE-2020-36911Shared CWE-798
CVE-2026-35503Shared CWE-798
CVE-2017-20234Shared CWE-798

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires management of authenticators so that static, hard-coded API keys are never embedded in router configuration or source code.

prevent

Boundary-protection rules can block network exposure of the router port, eliminating the attack surface that allows use of the known key.

prevent

Enforces access-control decisions that would reject authentication attempts using a publicly known static key instead of per-instance credentials.

References