CVE-2026-4994
Received
Received - Intake
Information Exposure via Argument Manipulation in wandb OpenUI APIStatusError Handler
Vulnerability report for CVE-2026-4994, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-03-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
A vulnerability was found in wandb OpenUI up to 1.0/3.5-turb. Affected is the function generic_exception_handler of the file backend/openui/server.py of the component APIStatusError Handler. The manipulation of the argument key results in information exposure through error message. Access to the local network is required for this attack. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wandb | openui | to 1.0|end_including=3.5-turb (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-209 | The product generates an error message that includes sensitive information about its environment, users, or associated data. |