CVE-2026-5128
Received Received - Intake
Sensitive Data Exposure in ArthurFiorette Steam-Trader

Publication date: 2026-03-30

Last updated on: 2026-03-31

Assigner: 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c

Description
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-03-31
NVD
CVE-2026-5128
EUVD
EUVD-2026-17075
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
arthurfiorette steam-trader to 2.1.1 (exc)
arthurfiorette steam-trader 2.1.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in ArthurFiorette steam-trader version 2.1.1, where an unauthenticated attacker can send a request to the /users API endpoint and retrieve highly sensitive Steam account data.

The exposed data includes the account username, password, identity secret, and shared secret. Additionally, application logs reveal authentication artifacts such as access tokens, refresh tokens, and session identifiers.

With this information, an attacker can generate valid Steam Guard two-factor authentication codes, hijack authenticated sessions, and gain full control over the affected Steam account, including unauthorized access to inventory and trading features.

No fix is available because the repository is archived and no longer maintained.

Impact Analysis

This vulnerability can have severe impacts including complete compromise of your Steam account.

  • Attackers can obtain your account username and password.
  • Attackers can retrieve identity and shared secrets, enabling them to generate valid Steam Guard 2FA codes.
  • Attackers can hijack authenticated sessions using exposed access tokens, refresh tokens, and session identifiers.
  • Full control over your Steam account can be gained, including unauthorized access to your inventory and trading functionality.

Because the repository is archived and unmaintained, no fix is available, leaving affected users vulnerable.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or unusual requests to the /users API endpoint of the steam-trader application, which may indicate attempts to retrieve sensitive Steam account data.

Additionally, inspecting application logs for exposure of authentication artifacts such as access tokens, refresh tokens, and session identifiers can help identify exploitation attempts.

Network monitoring tools or web server logs can be used to detect suspicious GET or POST requests targeting the /users endpoint without proper authentication.

  • Use curl or wget to manually test the /users endpoint for unauthorized access, e.g., `curl http://<host>:<port>/users`.
  • Use network packet capture tools like tcpdump or Wireshark to filter HTTP requests to the /users endpoint: `tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/users'`.
  • Check application logs for presence of sensitive tokens or session identifiers using grep, e.g., `grep -E 'access_token|refresh_token|session_id' /path/to/logfile`.
Mitigation Strategies

Since no fix is available due to the repository being archived and no longer maintained, immediate mitigation steps focus on restricting access and minimizing exposure.

  • Restrict access to the steam-trader application by limiting network exposure, such as binding the service to localhost or using firewall rules to allow only trusted IP addresses.
  • Use a reverse proxy with authentication and IP whitelisting to prevent unauthorized access to the /users API endpoint.
  • Avoid deploying the application on public or untrusted hosting environments without proper access controls.
  • Monitor logs and network traffic for suspicious activity targeting the vulnerable endpoint.
  • Consider discontinuing use of the steam-trader 2.1.1 application or migrating to a more secure alternative.
Compliance Impact

This vulnerability exposes highly sensitive personal information such as account usernames, passwords, identity secrets, shared secrets, and authentication tokens without authentication. Such exposure can lead to unauthorized access and control over user accounts.

Given the nature of the exposed data, this vulnerability likely violates data protection requirements under common standards and regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information against unauthorized access and disclosure.

The lack of a fix and the archived status of the repository further exacerbate compliance risks, as organizations using this software cannot remediate the vulnerability, potentially leading to non-compliance with security and privacy obligations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5128. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart