Cyber Resilience

CVE-2026-30994

High

Published: 15 April 2026

Published
15 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0006 20.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30994 is a high-severity Improper Access Control (CWE-284) vulnerability in Joaopaulodeoliveira (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-30994 is an incorrect access control vulnerability (CWE-284) in the config.php component of Slah version 1.5.0 and below. Published on 2026-04-15, it enables unauthenticated attackers to access sensitive information, including active session credentials. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact from network-based exploitation.

Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity, no required privileges, and no user interaction. Exploitation results in the disclosure of sensitive data, such as active session credentials, potentially allowing attackers to hijack sessions or gain further unauthorized access within the affected Slah instance.

Mitigation details and advisories are available at https://cve.joaopaulodeoliveira.dev/cve.php/published/CVE-2026-30994 and https://cve.joaopaulodeoliveira.dev/cve.php/reserved/slah-informatica-sensitive-data-exposure.

EU & UK References

Vulnerability details

Incorrect access control in the config.php component of Slah v1.5.0 and below allows unauthenticated attackers to access sensitive information, including active session credentials.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Vulnerability is a remote unauthenticated exposure in a public-facing web app component (config.php) directly enabling T1190 exploitation; disclosure of active session credentials specifically facilitates T1539 session hijacking.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39339Shared CWE-284
CVE-2026-46839Shared CWE-284
CVE-2025-26010Shared CWE-284
CVE-2026-34291Shared CWE-284
CVE-2023-47539Shared CWE-284
CVE-2026-23899Shared CWE-284
CVE-2025-7016Shared CWE-284
CVE-2026-46822Shared CWE-284
CVE-2024-37566Shared CWE-284
CVE-2026-30689Shared CWE-284

Affected Assets

Joaopaulodeoliveira
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access, directly preventing unauthenticated attackers from reaching sensitive information in the config.php component.

preventdetect

Defines and monitors permitted unauthenticated actions to explicitly prohibit access to sensitive config.php data like session credentials.

prevent

Implements least privilege to ensure unauthenticated users lack access necessary to view active session credentials in config.php.

References