CVE-2026-7041
Information Disclosure via SECRET Argument Manipulation in Werkzeug Debugger
Publication date: 2026-04-26
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 666ghj | mirofish | to 0.1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7041 is a critical vulnerability in MiroFish version 0.1.2 that arises from the Werkzeug Debugger being enabled in debug mode. This debugger exposes a console endpoint (/console) that reveals a secret key and a PIN used for authentication.
An attacker can remotely access this console, use the leaked secret and PIN to authenticate, and then execute arbitrary Python code on the server. This allows the attacker to run commands, read sensitive files, and potentially take full control of the system running MiroFish.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including full remote code execution on the affected server. An attacker can execute arbitrary commands, steal sensitive data such as API keys, move laterally within internal networks, install backdoors, and fully compromise the system.
- Execution of arbitrary OS commands via the debugger console.
- Theft of sensitive files and credentials (e.g., .env files containing API keys).
- Potential full system compromise and persistent backdoor installation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the MiroFish server is running in debug mode and exposing the Werkzeug debugger console. Indicators include the presence of Werkzeug/3.1.4 in HTTP response headers and accessibility of the /console endpoint.
You can verify the debugger secret by accessing the /console page and inspecting the JavaScript source for the SECRET value.
Additionally, check server startup logs for the Werkzeug debugger PIN.
Example commands to test the vulnerability after authentication include running OS commands such as:
- `whoami` - to identify the application user.
- `id` - to get user and group IDs.
- `uname -a` - to retrieve system information.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to disable debug mode in the MiroFish application to prevent exposure of the Werkzeug debugger.
Specifically, change the DEBUG setting in the backend/app/config.py file from enabling debug mode by default:
- From: `DEBUG = os.environ.get('FLASK_DEBUG', 'True').lower() == 'true'`
- To: `DEBUG = os.environ.get('FLASK_DEBUG', 'False').lower() == 'true'`
This change will disable the Werkzeug debugger and mitigate the vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-7041 allows unauthenticated attackers to gain full remote code execution on MiroFish 0.1.2 servers by exploiting the exposed Werkzeug debugger in debug mode. This leads to complete system compromise and data theft, including the exposure of sensitive files such as environment variables containing API keys.
Such unauthorized access and data disclosure can result in violations of data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information. The vulnerability's potential for data exfiltration and system compromise undermines the confidentiality and integrity of data, thereby impacting compliance with these standards.