CVE-2026-29872

# Conceptual PoC demonstrating the vulnerable logic import os import streamlit as st # Vulnerable: Storing user input in process-wide environment variable def store_user_token(token): os.environ['USER_API_TOKEN'] = token # Attacker's simple retrieval code (conceptual) def retrieve_leaked_token(): # Accessing the global environment variable leaked by a previous user return os.environ.get('USER_API_TOKEN') # Example usage in the vulnerable app user_input = st.text_input("Enter your API Key") if user_input: store_user_token(user_input) # Vulnerability occurs here

{"cve": {"id": "CVE-2026-29872", "sourceIdentifier": "[email protected]", "published": "2026-03-30T18:16:18.523", "lastModified": "2026-04-06T16:00:39.033", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A cross-session information disclosure vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 (2026-01-19). The affected Streamlit-based GitHub MCP Agent stores user-supplied API tokens in process-wide environment variables using os.environ without proper session isolation. Because Streamlit serves multiple concurrent users from a single Python process, credentials provided by one user remain accessible to subsequent unauthenticated users. An attacker can exploit this issue to retrieve sensitive information such as GitHub Personal Access Tokens or LLM API keys, potentially leading to unauthorized access to private resources and financial abuse."}, {"lang": "es", "value": "Existe una vulnerabilidad de revelación de información entre sesiones en el proyecto awesome-llm-apps en el commit e46690f99c3f08be80a9877fab52acacf7ab8251 (19-01-2026). El agente GitHub MCP basado en Streamlit afectado almacena tokens de API proporcionados por el usuario en variables de entorno a nivel de proceso usando os.environ sin un aislamiento de sesión adecuado. Debido a que Streamlit sirve a múltiples usuarios concurrentes desde un único proceso de Python, las credenciales proporcionadas por un usuario permanecen accesibles para usuarios no autenticados posteriores. Un atacante puede explotar este problema para recuperar información sensible como Tokens de Acceso Personal de GitHub o claves de API de LLM, lo que podría llevar a un acceso no autorizado a recursos privados y abuso financiero."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-522"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:theunwindai:awesome_llm_apps:2026-01-19:*:*:*:*:*:*:*", "matchCriteriaId": "4B8162DF-5C1B-41A9-8133-D5A28E01E46C"}]}]}], "references": [{"url": "https://github.com/lilmingwa13/security-research/blob/main/CVE-2026-29872.md", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Third Party Advisory"]}]}}