CVE-2026-5128
Sensitive Data Exposure in ArthurFiorette Steam-Trader
Publication date: 2026-03-30
Last updated on: 2026-03-31
Assigner: 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| arthurfiorette | steam-trader | to 2.1.1 (exc) |
| arthurfiorette | steam-trader | 2.1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in ArthurFiorette steam-trader version 2.1.1, where an unauthenticated attacker can send a request to the /users API endpoint and retrieve highly sensitive Steam account data.
The exposed data includes the account username, password, identity secret, and shared secret. Additionally, application logs reveal authentication artifacts such as access tokens, refresh tokens, and session identifiers.
With this information, an attacker can generate valid Steam Guard two-factor authentication codes, hijack authenticated sessions, and gain full control over the affected Steam account, including unauthorized access to inventory and trading features.
No fix is available because the repository is archived and no longer maintained.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including complete compromise of your Steam account.
- Attackers can obtain your account username and password.
- Attackers can retrieve identity and shared secrets, enabling them to generate valid Steam Guard 2FA codes.
- Attackers can hijack authenticated sessions using exposed access tokens, refresh tokens, and session identifiers.
- Full control over your Steam account can be gained, including unauthorized access to your inventory and trading functionality.
Because the repository is archived and unmaintained, no fix is available, leaving affected users vulnerable.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized or unusual requests to the /users API endpoint of the steam-trader application, which may indicate attempts to retrieve sensitive Steam account data.
Additionally, inspecting application logs for exposure of authentication artifacts such as access tokens, refresh tokens, and session identifiers can help identify exploitation attempts.
Network monitoring tools or web server logs can be used to detect suspicious GET or POST requests targeting the /users endpoint without proper authentication.
- Use curl or wget to manually test the /users endpoint for unauthorized access, e.g., `curl http://<host>:<port>/users`.
- Use network packet capture tools like tcpdump or Wireshark to filter HTTP requests to the /users endpoint: `tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/users'`.
- Check application logs for presence of sensitive tokens or session identifiers using grep, e.g., `grep -E 'access_token|refresh_token|session_id' /path/to/logfile`.
What immediate steps should I take to mitigate this vulnerability?
Since no fix is available due to the repository being archived and no longer maintained, immediate mitigation steps focus on restricting access and minimizing exposure.
- Restrict access to the steam-trader application by limiting network exposure, such as binding the service to localhost or using firewall rules to allow only trusted IP addresses.
- Use a reverse proxy with authentication and IP whitelisting to prevent unauthorized access to the /users API endpoint.
- Avoid deploying the application on public or untrusted hosting environments without proper access controls.
- Monitor logs and network traffic for suspicious activity targeting the vulnerable endpoint.
- Consider discontinuing use of the steam-trader 2.1.1 application or migrating to a more secure alternative.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability exposes highly sensitive personal information such as account usernames, passwords, identity secrets, shared secrets, and authentication tokens without authentication. Such exposure can lead to unauthorized access and control over user accounts.
Given the nature of the exposed data, this vulnerability likely violates data protection requirements under common standards and regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information against unauthorized access and disclosure.
The lack of a fix and the archived status of the repository further exacerbate compliance risks, as organizations using this software cannot remediate the vulnerability, potentially leading to non-compliance with security and privacy obligations.