CVE-2026-29872
Cross-Session Info Disclosure in awesome-llm-apps via Env Variables
Publication date: 2026-03-30
Last updated on: 2026-04-06
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| theunwindai | awesome_llm_apps | 2026-01-19 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes cross-session leakage of sensitive credentials such as GitHub Personal Access Tokens and LLM API keys by storing them in global environment variables without session isolation.
Such unauthorized disclosure of sensitive information violates fundamental security principles of data confidentiality and access control, which are critical requirements in common standards and regulations like GDPR and HIPAA.
Specifically, the exposure of personal or sensitive data to unauthorized users can lead to non-compliance with data protection regulations that mandate strict controls on access to personal and sensitive information.
Therefore, this vulnerability undermines compliance by enabling unauthorized access to sensitive credentials, potentially resulting in data breaches and financial abuse.
Can you explain this vulnerability to me?
CVE-2026-29872 is a cross-session information disclosure vulnerability in the awesome-llm-apps project, specifically affecting a Streamlit-based GitHub MCP Agent. The vulnerability arises because user-supplied API tokens (such as GitHub Personal Access Tokens and OpenAI API keys) are stored in global process-wide environment variables (os.environ) without proper session isolation.
Since Streamlit serves multiple concurrent users within a single Python process, credentials set by one user remain accessible to other users in different sessions. This means that an attacker can retrieve sensitive tokens submitted by other users without authentication, leading to unauthorized access.
The root cause is the use of global environment variables for storing secrets instead of session-scoped storage, which violates session isolation boundaries.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to private resources by exposing sensitive credentials such as GitHub Personal Access Tokens and OpenAI API keys to unauthorized users.
- An attacker can retrieve API tokens from other users without authentication.
- Unauthorized access to private GitHub repositories may occur if tokens have appropriate permissions.
- Misuse of OpenAI API keys can cause financial loss due to unauthorized API usage.
- Potential modification or abuse of resources if tokens have write permissions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if user-supplied API tokens are stored in the global process-wide environment variables (os.environ) within the Streamlit-based application. Specifically, you can inspect the environment variables of the running Python process to see if sensitive tokens like GITHUB_TOKEN or OPENAI_API_KEY are present and accessible across sessions.
One way to detect this is to access the environment variables of the Streamlit process and verify if credentials from one user session are visible in another session.
- Use commands like `ps aux | grep streamlit` to identify the running Streamlit process.
- Attach to the process environment or use debugging tools to inspect environment variables, for example, by running a Python shell attached to the process or by adding diagnostic code to print `os.environ`.
- Within the application, test by submitting credentials in one session and attempting to retrieve them in another unauthenticated session to confirm cross-session leakage.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves avoiding the use of global environment variables (os.environ) to store user-supplied credentials in the Streamlit application.
Instead, credentials should be stored in session-scoped storage such as Streamlit's `st.session_state` to ensure proper session isolation.
- Modify the application code to replace assignments like `os.environ["GITHUB_TOKEN"] = github_token` with `st.session_state["GITHUB_TOKEN"] = github_token`.
- Retrieve tokens from `st.session_state` rather than from environment variables.
- Clear sensitive data from session state after use to prevent lingering credentials.
These steps will prevent credentials from leaking across user sessions and protect against unauthorized access.