CVE-2026-35467
Published: 02 April 2026
Summary
CVE-2026-35467 is a high-severity Insufficiently Protected Credentials (CWE-522) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-28 (Protection of Information at Rest).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires cryptographic or other protection for information at rest, directly preventing extraction of unprotected stored API keys and encryption credentials from browser client storage.
Mandates protection of authenticators such as API keys from unauthorized disclosure and modification, addressing the insufficient protection in the temporary browser client.
Limits error messages to avoid revealing sensitive information, mitigating credential extraction via error logging mechanisms in the browser client.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing browser client enables remote unauthenticated exploitation to extract unprotected API keys/credentials (T1190 for public-facing app exploitation; T1552 for unsecured credentials access via console/errors).
NVD Description
The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials.
Deeper analysisAI
CVE-2026-35467 is a vulnerability in the temporary browser client of the CERTCC/cveClient software, where stored API keys are not marked as protected. This flaw allows extraction of encryption credentials via the JavaScript console or other errors, as classified under CWE-522 (Insufficiently Protected Credentials). The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility, low attack complexity, and no requirements for privileges or user interaction.
Remote attackers can exploit this vulnerability without authentication by accessing the affected browser client instance, such as through the developer console or error logging mechanisms. Exploitation enables extraction of sensitive API keys and encryption credentials, potentially compromising access to protected resources or data.
Mitigation details are available in the project's GitHub repository at https://github.com/CERTCC/cveClient/ and the associated pull request at https://github.com/CERTCC/cveClient/pull/39, which addresses the protection of stored credentials. Security practitioners should review and apply updates from these sources to affected deployments.
Details
- CWE(s)