Cyber Resilience

CVE-2026-32138

High

Published: 12 March 2026

Published
12 March 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0026 16.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32138 is a high-severity Improper Access Control (CWE-284) vulnerability. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other Platforms; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-14 (Public Access Protections).

Deeper analysis

CVE-2026-32138 is a vulnerability in the NEXULEAN cybersecurity portfolio and service platform, designed for ethical hackers, AI enthusiasts, and penetration testers, specifically affecting versions prior to 2.0.0 hosted at github.com/Stalin-143/website. The issue involves the exposure of Firebase and Web3Forms API keys, enabling unauthorized interactions with backend services due to improper access control (CWE-284) and use of hard-coded credentials (CWE-798). It carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), highlighting high confidentiality impact with low integrity impact and no availability disruption.

Remote attackers require no privileges or user interaction to exploit this vulnerability, as the exposed API keys allow direct access to backend services without authentication. Successful exploitation can result in unauthorized access to application resources and user data, potentially compromising sensitive information within the platform.

The vulnerability has been addressed in NEXULEAN version 2.0.0. Security practitioners should upgrade to this release for mitigation. Additional details are available in the GitHub release notes at https://github.com/Stalin-143/website/releases/tag/v2.0.0 and the GitHub security advisory at https://github.com/Stalin-143/website/security/advisories/GHSA-r7cr-5wcx-x9wm.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

NEXULEAN is a cybersecurity portfolio & service platform for an Ethical Hacker, AI Enthusiast, and Penetration Tester. Prior to 2.0.0, a security vulnerability was identified where Firebase and Web3Forms API keys were exposed. An attacker could use these keys to…

more

interact with backend services without authentication, potentially leading to unauthorized access to application resources and user data. This vulnerability is fixed in 2.0.0.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Exposed hardcoded Firebase/Web3Forms API keys in a public-facing web app (CWE-798 + CWE-284) directly enable remote unauthenticated exploitation of the application (T1190) and successful adversary discovery/use of credentials stored in files or client-side code (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-14977Shared CWE-284
CVE-2024-50688Shared CWE-798
CVE-2026-1233Shared CWE-798
CVE-2026-48241Shared CWE-798
CVE-2026-30140Shared CWE-284
CVE-2025-26615Shared CWE-284
CVE-2026-5585Shared CWE-284
CVE-2025-26616Shared CWE-284
CVE-2024-13773Shared CWE-798
CVE-2026-6574Shared CWE-798

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses hard-coded and exposed API keys by requiring proper management, protection, and non-disclosure of authenticators.

prevent

Protects publicly accessible web platforms and backend resources from unauthorized access by external attackers using exposed keys.

prevent

Enforces access control policies to mitigate unauthorized backend service interactions enabled by improperly managed credentials.

References