CVE-2026-30994
Published: 15 April 2026
Summary
CVE-2026-30994 is a high-severity Improper Access Control (CWE-284) vulnerability in Joaopaulodeoliveira (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-30994 is an incorrect access control vulnerability (CWE-284) in the config.php component of Slah version 1.5.0 and below. Published on 2026-04-15, it enables unauthenticated attackers to access sensitive information, including active session credentials. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact from network-based exploitation.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity, no required privileges, and no user interaction. Exploitation results in the disclosure of sensitive data, such as active session credentials, potentially allowing attackers to hijack sessions or gain further unauthorized access within the affected Slah instance.
Mitigation details and advisories are available at https://cve.joaopaulodeoliveira.dev/cve.php/published/CVE-2026-30994 and https://cve.joaopaulodeoliveira.dev/cve.php/reserved/slah-informatica-sensitive-data-exposure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22987
Vulnerability details
Incorrect access control in the config.php component of Slah v1.5.0 and below allows unauthenticated attackers to access sensitive information, including active session credentials.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is a remote unauthenticated exposure in a public-facing web app component (config.php) directly enabling T1190 exploitation; disclosure of active session credentials specifically facilitates T1539 session hijacking.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for logical access, directly preventing unauthenticated attackers from reaching sensitive information in the config.php component.
Defines and monitors permitted unauthenticated actions to explicitly prohibit access to sensitive config.php data like session credentials.
Implements least privilege to ensure unauthenticated users lack access necessary to view active session credentials in config.php.