Cyber Resilience

CVE-2026-40584

Medium

Published: 21 April 2026

Published
21 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0005 14.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40584 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Ransomlook Ransomlook. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2026-40584 affects RansomLook, an open-source tool for monitoring ransomware groups, markets, and victim extractions, specifically versions prior to 1.9.0. The vulnerability resides in the API implementation within the file website/web/api/genericapi.py, where private location entries are improperly filtered. Due to a coding error that removes elements from a list while iterating over it, entries marked as private can be unintentionally retained in API responses, leading to unauthorized disclosure of non-public location information. This issue is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

The vulnerability can be exploited remotely over the network by any unauthenticated attacker with low complexity and no user interaction required. By querying the affected API endpoint, an attacker can retrieve responses that include private location data intended to be filtered out, resulting in high-impact confidentiality violations without affecting integrity or availability.

Mitigation is available through upgrading to RansomLook version 1.9.0, which addresses the filtering logic flaw. Detailed advisory information, including patch details and reproduction steps, is provided in the GitHub Security Advisory at https://github.com/RansomLook/RansomLook/security/advisories/GHSA-hv66-vcqc-v87c and the CIRCL vulnerability database entry at https://vulnerability.circl.lu/vuln/gcve-1-2026-0025.

EU & UK References

Vulnerability details

RansomLook is a tool to monitor Ransomware groups and markets and extract their victims. Prior to 1.9.0, the API in the affected application improperly filters private location entries in website/web/api/genericapi.py. Because the code removes elements from a list while iterating…

more

over it, entries marked as private may be unintentionally retained in API responses, allowing unauthorized disclosure of non-public location information. This vulnerability is fixed in 1.9.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is in a public-facing web API endpoint that can be directly queried remotely by unauthenticated attackers to access sensitive data due to improper filtering, directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13796Shared CWE-200
CVE-2025-25975Shared CWE-200
CVE-2024-12142Shared CWE-200
CVE-2025-25951Shared CWE-200
CVE-2026-34297Shared CWE-200
CVE-2024-26480Shared CWE-200
CVE-2026-24498Shared CWE-200
CVE-2025-22828Shared CWE-200
CVE-2026-23659Shared CWE-200
CVE-2024-11282Shared CWE-200

Affected Assets

ransomlook
ransomlook
≤ 1.9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires filtering of information prior to transmission outside the system boundary, directly mitigating the improper filtering of private location entries in API responses.

prevent

Enforces approved authorizations for controlling the flow of information, preventing unauthorized disclosure of non-public location data through the API.

prevent

Designs and implements controls for publicly accessible applications to protect non-public information, such as private location entries exposed in unauthenticated API responses.

References