CVE-2026-23846
Information Exposure via URL Parameters in Tugtainer Password Authentication
Publication date: 2026-01-19
Last updated on: 2026-02-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| quenary | tugtainer | to 1.16.0 (inc) |
| quenary | tugtainer | 1.16.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-598 | The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes passwords to be transmitted via URL query parameters, leading to their exposure in server access logs, browser history, Referer headers, and proxy logs. Such exposure of sensitive authentication credentials can result in unauthorized access and data breaches, which negatively impacts compliance with common standards and regulations like GDPR and HIPAA that require protection of personal and sensitive data. OWASP ASVS v3.1.1 specifically recommends avoiding transmission of credentials via URL parameters to prevent unintended logging and exposure, highlighting the security best practices relevant to compliance. [1]
Can you explain this vulnerability to me?
This vulnerability in Tugtainer versions prior to 1.16.1 involves the password authentication mechanism transmitting passwords via URL query parameters instead of the HTTP request body. This insecure practice causes passwords to be exposed in server access logs, browser history, Referer headers, and proxy logs. The backend code retrieves the password from the URL query string, and the frontend sends the password as a URL query parameter in POST requests. This exposure increases the risk of unauthorized access if logs or browser data are accessed by attackers. [1]
How can this vulnerability impact me? :
The vulnerability can lead to high-impact consequences including exposure of user passwords in server logs, browser history, and proxy logs. This exposure can result in unauthorized parties gaining access to sensitive credentials, potentially leading to account takeover. Additionally, because GET requests with passwords succeed, the risk of password leakage through browser history and Referer headers to external sites is increased. Overall, it compromises confidentiality and integrity of user accounts without affecting availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking your server access logs (e.g., nginx or uvicorn logs) for HTTP requests that include passwords in URL query parameters, such as requests to endpoints like `/api/auth/password/login` with a `password` parameter in the URL. For example, you can use commands like `grep 'password=' /var/log/nginx/access.log` or `grep 'password=' /path/to/uvicorn.log` to find such occurrences. Additionally, monitoring proxy logs and reviewing browser history for URLs containing passwords can help identify exposure. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to upgrade Tugtainer to version 1.16.1 or later, where the vulnerability is patched. The fix involves changing the password transmission method from URL query parameters to the HTTP request body in JSON format, preventing passwords from being logged in URLs. Until you can upgrade, avoid using vulnerable versions and consider restricting access to logs and proxies that might expose passwords. Also, educate users to avoid logging in via URLs containing passwords. [1, 2]