Cyber Resilience

CVE-2026-35467

HighUpdated

Published: 02 April 2026

Published
02 April 2026
Modified
03 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0001 1.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35467 is a high-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Cmu Cveclient. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-28 (Protection of Information at Rest).

Deeper analysis

CVE-2026-35467 is a vulnerability in the temporary browser client of the CERTCC/cveClient software, where stored API keys are not marked as protected. This flaw allows extraction of encryption credentials via the JavaScript console or other errors, as classified under CWE-522 (Insufficiently Protected Credentials). The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility, low attack complexity, and no requirements for privileges or user interaction.

Remote attackers can exploit this vulnerability without authentication by accessing the affected browser client instance, such as through the developer console or error logging mechanisms. Exploitation enables extraction of sensitive API keys and encryption credentials, potentially compromising access to protected resources or data.

Mitigation details are available in the project's GitHub repository at https://github.com/CERTCC/cveClient/ and the associated pull request at https://github.com/CERTCC/cveClient/pull/39, which addresses the protection of stored credentials. Security practitioners should review and apply updates from these sources to affected deployments.

EU & UK References

Vulnerability details

The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Vulnerability in public-facing browser client enables remote unauthenticated exploitation to extract unprotected API keys/credentials (T1190 for public-facing app exploitation; T1552 for unsecured credentials access via console/errors).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-27648Shared CWE-522
CVE-2020-37097Shared CWE-522
CVE-2026-22189Same vendor: Cmu
CVE-2026-20791Shared CWE-522
CVE-2026-23658Shared CWE-522
CVE-2025-27092Same vendor: Cmu
CVE-2026-33575Shared CWE-522
CVE-2026-22190Same vendor: Cmu
CVE-2025-58741Shared CWE-522
CVE-2026-32633Shared CWE-522

Affected Assets

cmu
cveclient
≤ 1.0.24

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires cryptographic or other protection for information at rest, directly preventing extraction of unprotected stored API keys and encryption credentials from browser client storage.

prevent

Mandates protection of authenticators such as API keys from unauthorized disclosure and modification, addressing the insufficient protection in the temporary browser client.

prevent

Limits error messages to avoid revealing sensitive information, mitigating credential extraction via error logging mechanisms in the browser client.

References