CVE-2026-30994
Improper Access Control in Slah config.php Exposes Sessions
Publication date: 2026-04-15
Last updated on: 2026-04-15
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| slah_informΓ‘tica | slah | to 1.5.0 (inc) |
| slah | slah | to 1.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an incorrect access control issue in the config.php component of Slah CMS versions 1.5.0 and below. It allows unauthenticated attackers to access sensitive information, including active session credentials.
Technically, the vulnerability arises because the session() function in config.php logs every session key-value pair in plaintext to a publicly accessible JavaScript file (public/assets/js/logged.js). This file is served without any access control or encryption, so anyone can retrieve it remotely.
The logged data includes sensitive information such as email addresses, passwords, login status flags, and unique user identifiers. Attackers can use this information to monitor active sessions and perform unauthorized logins, including administrative account takeovers.
How can this vulnerability impact me? :
This vulnerability can lead to a complete compromise of administrative accounts and unauthorized access to sensitive governmental web management interfaces.
Attackers can harvest plaintext session credentials from a publicly accessible file and use them to bypass authentication, gaining control over administrative dashboards.
The breach compromises the confidentiality and integrity of public sector administrative operations, potentially allowing attackers to manipulate or steal sensitive data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the publicly accessible JavaScript file "public/assets/js/logged.js" contains sensitive session information such as plaintext usernames, passwords, and user identifiers.
A simple command to detect this vulnerability is to use cURL to fetch the first lines of the logged.js file and inspect its contents.
- curl -s "https://[SUBDOMAIN].[DOMAIN].gov.br/public/assets/js/logged.js" | head -n 20
This command retrieves the first 20 lines of the log file, which may reveal active session credentials and user identifiers if the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include removing the insecure logging mechanism in the config.php file, specifically the code that writes session credentials to the publicly accessible logged.js file.
Session credentials must never be written to publicly accessible static files such as .js, .txt, or .inc files.
Additionally, update the Slah CMS to the latest patched version released by the vendor on January 5, 2026, which addresses this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability exposes sensitive session credentials, including plaintext usernames, passwords, email addresses, and user identifiers, through a publicly accessible JavaScript file. Such exposure constitutes a breach of confidentiality and integrity of sensitive data.
The unauthorized disclosure of personal and authentication data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which mandate strict controls over the confidentiality, integrity, and security of personal and sensitive information.
Specifically, the vulnerability violates best practices for secure data handling by storing sensitive information in cleartext in an externally accessible location, increasing the risk of data breaches and unauthorized access, which are critical compliance concerns under these regulations.