Executive Summary

CVE-2026-29023 is a medium-severity vulnerability in Keygraph Shannon caused by a hard-coded API key embedded in its router configuration. When the router component is enabled and exposed to the network, attackers who can reach the router port can authenticate using this publicly known static key.

This allows attackers to proxy requests through the Shannon instance using the victim’s configured upstream provider API credentials, leading to unauthorized API usage and potential disclosure of proxied request and response data.

The vulnerability affects versions of Shannon prior to a specific commit (023cc95) that mitigates general exploitability by removing the hardcoded key and restricting network exposure.

Useful 0 Not Useful 0

Impact Analysis

If you are running a vulnerable version of Keygraph Shannon with the router component enabled and exposed, an attacker on the network can use the hardcoded API key to authenticate to the router.

This enables the attacker to proxy API requests through your Shannon instance, effectively using your paid API credentials without authorization.

Such unauthorized usage can lead to unexpected charges, depletion of API quotas, and potential exposure of sensitive data contained in proxied requests and responses.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the router component of Keygraph Shannon is enabled and exposed on the network, specifically if port 3456 is bound to all network interfaces (0.0.0.0). The presence of a hardcoded API key "shannon-router-key" in the router configuration file (configs/router-config.json) is a key indicator.'}, {'type': 'paragraph', 'content': 'To detect this on your system or network, you can run commands to check for open ports and inspect configuration files:'}, {'type': 'list_item', 'content': 'Use netstat or ss to check if port 3456 is listening on 0.0.0.0 (all interfaces):'}, {'type': 'list_item', 'content': ' - netstat -tuln | grep 3456'}, {'type': 'list_item', 'content': ' - ss -tuln | grep 3456'}, {'type': 'list_item', 'content': 'Inspect the router configuration file for the hardcoded API key:'}, {'type': 'list_item', 'content': ' - grep -r "shannon-router-key" configs/router-config.json'}, {'type': 'list_item', 'content': 'Check environment variables exported by shell scripts for the presence of ANTHROPIC_AUTH_TOKEN set to the hardcoded key.'}, {'type': 'paragraph', 'content': 'Additionally, scanning for exposed web interfaces on ports 7233 and 8233 bound to 0.0.0.0 can help identify other related exposures.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting network exposure and removing hardcoded credentials:

• Bind all exposed ports, especially the router port 3456, to localhost (127.0.0.1) instead of 0.0.0.0 to prevent external network access.
• Replace the hardcoded API key in the router configuration with a randomly generated key at startup to avoid using a publicly known static key.
• Avoid exporting sensitive environment variables such as ANTHROPIC_AUTH_TOKEN globally; restrict environment variables passed to subprocesses to an allowlist.
• Remove or secure exposed web interfaces (ports 7233 and 8233) by adding authentication or binding them to localhost.
• Update to the version including commit 023cc95 or later, which mitigates the general exploitability of this vulnerability.

Useful 0 Not Useful 0