CVE-2026-32138
Published: 12 March 2026
Summary
CVE-2026-32138 is a high-severity Improper Access Control (CWE-284) vulnerability. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other Platforms; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-14 (Public Access Protections).
Deeper analysis
CVE-2026-32138 is a vulnerability in the NEXULEAN cybersecurity portfolio and service platform, designed for ethical hackers, AI enthusiasts, and penetration testers, specifically affecting versions prior to 2.0.0 hosted at github.com/Stalin-143/website. The issue involves the exposure of Firebase and Web3Forms API keys, enabling unauthorized interactions with backend services due to improper access control (CWE-284) and use of hard-coded credentials (CWE-798). It carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), highlighting high confidentiality impact with low integrity impact and no availability disruption.
Remote attackers require no privileges or user interaction to exploit this vulnerability, as the exposed API keys allow direct access to backend services without authentication. Successful exploitation can result in unauthorized access to application resources and user data, potentially compromising sensitive information within the platform.
The vulnerability has been addressed in NEXULEAN version 2.0.0. Security practitioners should upgrade to this release for mitigation. Additional details are available in the GitHub release notes at https://github.com/Stalin-143/website/releases/tag/v2.0.0 and the GitHub security advisory at https://github.com/Stalin-143/website/security/advisories/GHSA-r7cr-5wcx-x9wm.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11661
Vulnerability details
NEXULEAN is a cybersecurity portfolio & service platform for an Ethical Hacker, AI Enthusiast, and Penetration Tester. Prior to 2.0.0, a security vulnerability was identified where Firebase and Web3Forms API keys were exposed. An attacker could use these keys to…
more
interact with backend services without authentication, potentially leading to unauthorized access to application resources and user data. This vulnerability is fixed in 2.0.0.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Exposed hardcoded Firebase/Web3Forms API keys in a public-facing web app (CWE-798 + CWE-284) directly enable remote unauthenticated exploitation of the application (T1190) and successful adversary discovery/use of credentials stored in files or client-side code (T1552.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses hard-coded and exposed API keys by requiring proper management, protection, and non-disclosure of authenticators.
Protects publicly accessible web platforms and backend resources from unauthorized access by external attackers using exposed keys.
Enforces access control policies to mitigate unauthorized backend service interactions enabled by improperly managed credentials.