Cyber Resilience

CVE-2026-29872

HighPublic PoC

Published: 30 March 2026

Published
30 March 2026
Modified
06 April 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0025 16.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-29872 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Theunwindai Awesome Llm Apps. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-39 (Process Isolation).

Deeper analysis

CVE-2026-29872, published on 2026-03-30, is a cross-session information disclosure vulnerability in the awesome-llm-apps project, specifically affecting the Streamlit-based GitHub MCP Agent at commit e46690f99c3f08be80a9877fab52acacf7ab8251 from 2026-01-19. The issue stems from the agent storing user-supplied API tokens in process-wide environment variables via os.environ without implementing proper session isolation. Streamlit's architecture, which serves multiple concurrent users from a single Python process, allows these credentials to persist and become accessible across user sessions.

Unauthenticated attackers with network access can exploit this vulnerability by connecting to the service after a legitimate user has provided their credentials. As a subsequent unauthenticated user, the attacker can access the shared environment variables to extract sensitive data, such as GitHub Personal Access Tokens or LLM API keys. Successful exploitation enables unauthorized access to private resources and potential financial abuse, with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) and associated CWEs 200 (Exposure of Sensitive Information), 284 (Improper Access Control), and 522 (Insufficiently Protected Credentials).

Mitigation details and additional advisory information are provided in the security research document at https://github.com/lilmingwa13/security-research/blob/main/CVE-2026-29872.md.

This vulnerability highlights risks in multi-tenant AI/ML deployments, as it involves exposure of LLM API keys within an LLM-focused application project.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A cross-session information disclosure vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 (2026-01-19). The affected Streamlit-based GitHub MCP Agent stores user-supplied API tokens in process-wide environment variables using os.environ without proper session isolation. Because Streamlit serves multiple concurrent users…

more

from a single Python process, credentials provided by one user remain accessible to subsequent unauthenticated users. An attacker can exploit this issue to retrieve sensitive information such as GitHub Personal Access Tokens or LLM API keys, potentially leading to unauthorized access to private resources and financial abuse.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: llm, mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Vulnerability in public-facing Streamlit app directly enables exploitation of the service (T1190) to extract credentials stored without isolation in process-wide environment variables (T1552).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-29871Same product: Theunwindai Awesome Llm Apps
CVE-2026-32633Shared CWE-200, CWE-522
CVE-2026-22240Shared CWE-200, CWE-522
CVE-2026-41266Shared CWE-200, CWE-522
CVE-2026-43992Shared CWE-200, CWE-522
CVE-2025-57266Shared CWE-284
CVE-2026-25146Shared CWE-200
CVE-2024-56902Shared CWE-200
CVE-2024-48125Shared CWE-200
CVE-2025-55190Shared CWE-200

Affected Assets

theunwindai
awesome llm apps
2026-01-19

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents unauthorized transfer of user-supplied API tokens stored in shared process-wide environment variables across concurrent sessions in the single Python process.

prevent

Enforces process isolation to prevent a single Streamlit process from serving multiple users without separating their sessions, blocking cross-session access to shared environment variables.

prevent

Requires secure management and storage of authenticators such as GitHub PATs and LLM API keys, prohibiting their placement in insecure, process-wide environment variables accessible to unauthenticated users.

References