CVE-2026-29872
Received Received - Intake
Cross-Session Info Disclosure in awesome-llm-apps via Env Variables

Publication date: 2026-03-30

Last updated on: 2026-04-06

Assigner: MITRE

Description
A cross-session information disclosure vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 (2026-01-19). The affected Streamlit-based GitHub MCP Agent stores user-supplied API tokens in process-wide environment variables using os.environ without proper session isolation. Because Streamlit serves multiple concurrent users from a single Python process, credentials provided by one user remain accessible to subsequent unauthenticated users. An attacker can exploit this issue to retrieve sensitive information such as GitHub Personal Access Tokens or LLM API keys, potentially leading to unauthorized access to private resources and financial abuse.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-04-06
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29872
EUVD
EUVD-2026-17141
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
theunwindai awesome_llm_apps 2026-01-19
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-29872 is a cross-session information disclosure vulnerability in the awesome-llm-apps project, specifically affecting a Streamlit-based GitHub MCP Agent. The vulnerability arises because user-supplied API tokens (such as GitHub Personal Access Tokens and OpenAI API keys) are stored in global process-wide environment variables (os.environ) without proper session isolation.

Since Streamlit serves multiple concurrent users within a single Python process, credentials set by one user remain accessible to other users in different sessions. This means that an attacker can retrieve sensitive tokens submitted by other users without authentication, leading to unauthorized access.

The root cause is the use of global environment variables for storing secrets instead of session-scoped storage, which violates session isolation boundaries.

Impact Analysis

This vulnerability can lead to unauthorized access to private resources by exposing sensitive credentials such as GitHub Personal Access Tokens and OpenAI API keys to unauthorized users.

  • An attacker can retrieve API tokens from other users without authentication.
  • Unauthorized access to private GitHub repositories may occur if tokens have appropriate permissions.
  • Misuse of OpenAI API keys can cause financial loss due to unauthorized API usage.
  • Potential modification or abuse of resources if tokens have write permissions.
Detection Guidance

This vulnerability can be detected by checking if user-supplied API tokens are stored in the global process-wide environment variables (os.environ) within the Streamlit-based application. Specifically, you can inspect the environment variables of the running Python process to see if sensitive tokens like GITHUB_TOKEN or OPENAI_API_KEY are present and accessible across sessions.

One way to detect this is to access the environment variables of the Streamlit process and verify if credentials from one user session are visible in another session.

  • Use commands like `ps aux | grep streamlit` to identify the running Streamlit process.
  • Attach to the process environment or use debugging tools to inspect environment variables, for example, by running a Python shell attached to the process or by adding diagnostic code to print `os.environ`.
  • Within the application, test by submitting credentials in one session and attempting to retrieve them in another unauthenticated session to confirm cross-session leakage.
Mitigation Strategies

Immediate mitigation involves avoiding the use of global environment variables (os.environ) to store user-supplied credentials in the Streamlit application.

Instead, credentials should be stored in session-scoped storage such as Streamlit's `st.session_state` to ensure proper session isolation.

  • Modify the application code to replace assignments like `os.environ["GITHUB_TOKEN"] = github_token` with `st.session_state["GITHUB_TOKEN"] = github_token`.
  • Retrieve tokens from `st.session_state` rather than from environment variables.
  • Clear sensitive data from session state after use to prevent lingering credentials.

These steps will prevent credentials from leaking across user sessions and protect against unauthorized access.

Compliance Impact

This vulnerability causes cross-session leakage of sensitive credentials such as GitHub Personal Access Tokens and LLM API keys by storing them in global environment variables without session isolation.

Such unauthorized disclosure of sensitive information violates fundamental security principles of data confidentiality and access control, which are critical requirements in common standards and regulations like GDPR and HIPAA.

Specifically, the exposure of personal or sensitive data to unauthorized users can lead to non-compliance with data protection regulations that mandate strict controls on access to personal and sensitive information.

Therefore, this vulnerability undermines compliance by enabling unauthorized access to sensitive credentials, potentially resulting in data breaches and financial abuse.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29872. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart