Cyber Resilience

CVE-2026-5128

N/A

Published: 30 March 2026

Published
30 March 2026
Modified
31 March 2026
KEV Added
Patch
CVSS Score N/A
EPSS Score 0.0014 34.6th percentile
Risk Priority 0 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5128 is a uncategorised-severity an unspecified weakness vulnerability. Its CVSS base score is N/A.

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SA-22 (Unsupported System Components).

Deeper analysis

CVE-2026-5128 is a sensitive information exposure vulnerability (CWE-200, CWE-532) affecting ArthurFiorette's steam-trader version 2.1.1, an application interacting with Steam accounts for trading functionality. The flaw allows unauthenticated access to highly sensitive data via the /users API endpoint, including Steam account usernames, passwords, identity secrets, and shared secrets. Additionally, application logs disclose authentication artifacts such as access tokens, refresh tokens, and session identifiers.

An unauthenticated attacker can exploit this vulnerability remotely with low complexity by sending a request to the exposed /users endpoint, retrieving the sensitive Steam credentials without any privileges or user interaction. With this data, the attacker can generate valid Steam Guard (2FA) codes, hijack authenticated sessions, and gain full control over the victim's Steam account, enabling unauthorized access to inventory and trading features.

No patches or fixes are available, as the project's GitHub repository (https://github.com/arthurfiorette/steam-trader) is archived and no longer maintained, leaving users without official mitigation options.

EU & UK References

Vulnerability details

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

CWE(s)
None listed

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Unauthenticated access to public-facing /users API exposes Steam usernames, passwords, identity/shared secrets (enabling account control), access/refresh tokens, and session identifiers; logs expose additional tokens, directly mapping to public app exploitation and credential/token theft techniques.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Prohibits or mitigates use of the archived and unmaintained steam-trader v2.1.1, directly addressing the unpatched sensitive information exposure vulnerability.

prevent

Enforces approved authorizations to block unauthenticated access to the /users API endpoint exposing Steam credentials and secrets.

prevent

Verifies authorization for public interfaces like the /users endpoint to prevent unauthorized remote access to sensitive data.

References