{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35467", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-04-02T20:09:50.057Z", "datePublished": "2026-04-02T20:27:27.792Z", "dateUpdated": "2026-04-03T13:51:22.012Z"}, "containers": {"cna": {"title": "Private Key stored as extractable in browser IndexeDB", "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials"}]}], "descriptions": [{"lang": "en", "value": "The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials."}], "affected": [{"vendor": "CERT/CC", "product": "cveClient/encrypt-storage.js", "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThan": "1.1.15", "versionType": "server"}]}], "references": [{"url": "https://github.com/CERTCC/cveClient/pull/39", "name": "Github PR to fix the issue"}, {"url": "https://github.com/CERTCC/cveClient/", "name": "Github Repository of the project."}], "credits": [{"lang": "en", "value": "Jerry Gamblin (https://github.com/jgamblin)", "type": "finder"}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-02T20:27:27.792Z"}, "x_generator": {"engine": "cveClient/1.0.15"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T13:50:34.898716Z", "id": "CVE-2026-35467", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:51:22.012Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-35467", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T13:50:34.898716Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:49:18.061Z"}}], "cna": {"title": "Private Key stored as extractable in browser IndexeDB", "credits": [{"lang": "en", "type": "finder", "value": "Jerry Gamblin (https://github.com/jgamblin)"}], "affected": [{"vendor": "CERT/CC", "product": "cveClient/encrypt-storage.js", "versions": [{"status": "affected", "version": "0", "lessThan": "1.1.15", "versionType": "server"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/CERTCC/cveClient/pull/39", "name": "Github PR to fix the issue"}, {"url": "https://github.com/CERTCC/cveClient/", "name": "Github Repository of the project."}], "x_generator": {"engine": "cveClient/1.0.15"}, "descriptions": [{"lang": "en", "value": "The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-02T20:27:27.792Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35467", "state": "PUBLISHED", "dateUpdated": "2026-04-03T13:51:22.012Z", "dateReserved": "2026-04-02T20:09:50.057Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2026-04-02T20:27:27.792Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials."}], "id": "CVE-2026-35467", "lastModified": "2026-04-03T16:10:23.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-02T21:16:40.810", "references": [{"source": "cret@cert.org", "url": "https://github.com/CERTCC/cveClient/"}, {"source": "cret@cert.org", "url": "https://github.com/CERTCC/cveClient/pull/39"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "cret@cert.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.1.15)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "cveClient/encrypt-storage.js", "source": "cna", "vendor": "CERT/CC"}, "product": "cveclient/encrypt-storage.js", "vendor": "cert/cc"}], "analysis": {"en": {"generated_at": "2026-04-03T17:22:02.458596+00:00", "value": {"mitigation_remediation": ["Update to a future version of cveClient that marks stored credentials as non\u2011extractable, such as the change referenced in the GitHub pull request.", "If an update cannot be applied immediately, avoid storing sensitive credentials on the client side and use server\u2011side secure storage instead.", "Disable or restrict access to the browser console in production environments to limit an attacker\u2019s ability to run arbitrary JavaScript.", "Perform code reviews to ensure that any credential handling follows secure storage practices and adheres to CWE\u2011522 guidelines.", "Monitor API usage for anomalous patterns and rotate keys regularly to limit the impact of a potential credential compromise."], "summary": {"action": "Immediate Patch", "impact": "Confidentiality compromise via extraction of private credentials"}, "threat_synthesis": {"affected_systems": "The affected component is the CERT/CC cveClient, specifically the encrypt-storage.js module that handles credential storage. No explicit version information is provided in the advisory, so all releases that deploy this module unchanged may be affected. Users of the client should verify whether their installation includes the unprotected storage behavior.", "description_and_impact": "This vulnerability occurs when API keys used by the temporary browser client are stored in IndexedDB without any protection, making them extractable through the browser\u2019s JavaScript console or other error conditions. Because the encryption credentials can be read by anyone who can execute JavaScript in that context, an attacker can obtain the keys used for authenticating API calls, leading to credential compromise and potential unauthorized access to secure services.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high impact, and the EPSS score below 1% suggests rare exploitation in the wild. The vulnerability is not yet listed in the CISA KEV catalog. Exploitation requires the attacker to run arbitrary JavaScript in the victim\u2019s browser typically via a malicious script injected into a trusted page or by exploiting an existing web vulnerability, after which the attacker can read the unprotected credentials from IndexedDB."}}}}, "created": "2026-04-03T07:31:19.551233+00:00", "updated": "2026-04-03T21:17:11.266965+00:00", "vendors": ["cert/cc", "cert/cc$PRODUCT$cveclient/encrypt-storage.js"]}