Cyber Posture

CVE-2026-29872

HighPublic PoC

Published: 30 March 2026

Published
30 March 2026
Modified
06 April 2026
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0007 21.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29872 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Theunwindai Awesome Llm Apps. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-39 (Process Isolation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-4 Information in Shared System Resources good match
prevent

Directly prevents unauthorized transfer of user-supplied API tokens stored in shared process-wide environment variables across concurrent sessions in the single Python process.

SC-39 Process Isolation good match
prevent

Enforces process isolation to prevent a single Streamlit process from serving multiple users without separating their sessions, blocking cross-session access to shared environment variables.

IA-5 Authenticator Management good match
prevent

Requires secure management and storage of authenticators such as GitHub PATs and LLM API keys, prohibiting their placement in insecure, process-wide environment variables accessible to unauthenticated users.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
attack.mitre.org →
Why these techniques?

Vulnerability in public-facing Streamlit app directly enables exploitation of the service (T1190) to extract credentials stored without isolation in process-wide environment variables (T1552).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A cross-session information disclosure vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 (2026-01-19). The affected Streamlit-based GitHub MCP Agent stores user-supplied API tokens in process-wide environment variables using os.environ without proper session isolation. Because Streamlit serves multiple concurrent users…

more

from a single Python process, credentials provided by one user remain accessible to subsequent unauthenticated users. An attacker can exploit this issue to retrieve sensitive information such as GitHub Personal Access Tokens or LLM API keys, potentially leading to unauthorized access to private resources and financial abuse.

Deeper analysisAI

CVE-2026-29872, published on 2026-03-30, is a cross-session information disclosure vulnerability in the awesome-llm-apps project, specifically affecting the Streamlit-based GitHub MCP Agent at commit e46690f99c3f08be80a9877fab52acacf7ab8251 from 2026-01-19. The issue stems from the agent storing user-supplied API tokens in process-wide environment variables via os.environ without implementing proper session isolation. Streamlit's architecture, which serves multiple concurrent users from a single Python process, allows these credentials to persist and become accessible across user sessions.

Unauthenticated attackers with network access can exploit this vulnerability by connecting to the service after a legitimate user has provided their credentials. As a subsequent unauthenticated user, the attacker can access the shared environment variables to extract sensitive data, such as GitHub Personal Access Tokens or LLM API keys. Successful exploitation enables unauthorized access to private resources and potential financial abuse, with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) and associated CWEs 200 (Exposure of Sensitive Information), 284 (Improper Access Control), and 522 (Insufficiently Protected Credentials).

Mitigation details and additional advisory information are provided in the security research document at https://github.com/lilmingwa13/security-research/blob/main/CVE-2026-29872.md.

This vulnerability highlights risks in multi-tenant AI/ML deployments, as it involves exposure of LLM API keys within an LLM-focused application project.

Details

CWE(s)
CWE-200CWE-284CWE-522

Affected Products

theunwindai
awesome llm apps
2026-01-19

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: llm, mcp, llm

CVEs Like This One

CVE-2026-29871Same product: Theunwindai Awesome Llm Apps
CVE-2026-32633Shared CWE-200, CWE-522
CVE-2026-41266Shared CWE-200, CWE-522
CVE-2026-22240Shared CWE-200, CWE-522
CVE-2026-25146Shared CWE-200
CVE-2025-68438Shared CWE-200
CVE-2024-56902Shared CWE-200
CVE-2025-2277Shared CWE-200, CWE-522
CVE-2026-20791Shared CWE-522
CVE-2026-35467Shared CWE-522

References