CVE-2026-40584
Published: 21 April 2026
Summary
CVE-2026-40584 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Ransomlook Ransomlook. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-4 (Information Flow Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires filtering of information prior to transmission outside the system boundary, directly mitigating the improper filtering of private location entries in API responses.
Enforces approved authorizations for controlling the flow of information, preventing unauthorized disclosure of non-public location data through the API.
Designs and implements controls for publicly accessible applications to protect non-public information, such as private location entries exposed in unauthenticated API responses.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is in a public-facing web API endpoint that can be directly queried remotely by unauthenticated attackers to access sensitive data due to improper filtering, directly enabling exploitation of public-facing applications.
NVD Description
RansomLook is a tool to monitor Ransomware groups and markets and extract their victims. Prior to 1.9.0, the API in the affected application improperly filters private location entries in website/web/api/genericapi.py. Because the code removes elements from a list while iterating…
more
over it, entries marked as private may be unintentionally retained in API responses, allowing unauthorized disclosure of non-public location information. This vulnerability is fixed in 1.9.0.
Deeper analysisAI
CVE-2026-40584 affects RansomLook, an open-source tool for monitoring ransomware groups, markets, and victim extractions, specifically versions prior to 1.9.0. The vulnerability resides in the API implementation within the file website/web/api/genericapi.py, where private location entries are improperly filtered. Due to a coding error that removes elements from a list while iterating over it, entries marked as private can be unintentionally retained in API responses, leading to unauthorized disclosure of non-public location information. This issue is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
The vulnerability can be exploited remotely over the network by any unauthenticated attacker with low complexity and no user interaction required. By querying the affected API endpoint, an attacker can retrieve responses that include private location data intended to be filtered out, resulting in high-impact confidentiality violations without affecting integrity or availability.
Mitigation is available through upgrading to RansomLook version 1.9.0, which addresses the filtering logic flaw. Detailed advisory information, including patch details and reproduction steps, is provided in the GitHub Security Advisory at https://github.com/RansomLook/RansomLook/security/advisories/GHSA-hv66-vcqc-v87c and the CIRCL vulnerability database entry at https://vulnerability.circl.lu/vuln/gcve-1-2026-0025.
Details
- CWE(s)