CVE-2026-5128
Published: 30 March 2026
Summary
CVE-2026-5128 is a uncategorised-severity an unspecified weakness vulnerability. Its CVSS base score is N/A.
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SA-22 (Unsupported System Components).
Deeper analysis
CVE-2026-5128 is a sensitive information exposure vulnerability (CWE-200, CWE-532) affecting ArthurFiorette's steam-trader version 2.1.1, an application interacting with Steam accounts for trading functionality. The flaw allows unauthenticated access to highly sensitive data via the /users API endpoint, including Steam account usernames, passwords, identity secrets, and shared secrets. Additionally, application logs disclose authentication artifacts such as access tokens, refresh tokens, and session identifiers.
An unauthenticated attacker can exploit this vulnerability remotely with low complexity by sending a request to the exposed /users endpoint, retrieving the sensitive Steam credentials without any privileges or user interaction. With this data, the attacker can generate valid Steam Guard (2FA) codes, hijack authenticated sessions, and gain full control over the victim's Steam account, enabling unauthorized access to inventory and trading features.
No patches or fixes are available, as the project's GitHub repository (https://github.com/arthurfiorette/steam-trader) is archived and no longer maintained, leaving users without official mitigation options.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17075
Vulnerability details
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated access to public-facing /users API exposes Steam usernames, passwords, identity/shared secrets (enabling account control), access/refresh tokens, and session identifiers; logs expose additional tokens, directly mapping to public app exploitation and credential/token theft techniques.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Prohibits or mitigates use of the archived and unmaintained steam-trader v2.1.1, directly addressing the unpatched sensitive information exposure vulnerability.
Enforces approved authorizations to block unauthenticated access to the /users API endpoint exposing Steam credentials and secrets.
Verifies authorization for public interfaces like the /users endpoint to prevent unauthorized remote access to sensitive data.
References
- No references listed