CVE-2026-7041
Received Received - Intake
Information Disclosure via SECRET Argument Manipulation in Werkzeug Debugger

Publication date: 2026-04-26

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in 666ghj MiroFish up to 0.1.2. The impacted element is an unknown function of the file /console of the component Werkzeug Debugger PIN Handler. Performing a manipulation of the argument SECRET results in information disclosure. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-26
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-7041
EUVD
EUVD-2026-25717
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
666ghj mirofish to 0.1.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7041 is a critical vulnerability in MiroFish version 0.1.2 that arises from the Werkzeug Debugger being enabled in debug mode. This debugger exposes a console endpoint (/console) that reveals a secret key and a PIN used for authentication.

An attacker can remotely access this console, use the leaked secret and PIN to authenticate, and then execute arbitrary Python code on the server. This allows the attacker to run commands, read sensitive files, and potentially take full control of the system running MiroFish.

Impact Analysis

This vulnerability can have severe impacts including full remote code execution on the affected server. An attacker can execute arbitrary commands, steal sensitive data such as API keys, move laterally within internal networks, install backdoors, and fully compromise the system.

  • Execution of arbitrary OS commands via the debugger console.
  • Theft of sensitive files and credentials (e.g., .env files containing API keys).
  • Potential full system compromise and persistent backdoor installation.
Detection Guidance

This vulnerability can be detected by checking if the MiroFish server is running in debug mode and exposing the Werkzeug debugger console. Indicators include the presence of Werkzeug/3.1.4 in HTTP response headers and accessibility of the /console endpoint.

You can verify the debugger secret by accessing the /console page and inspecting the JavaScript source for the SECRET value.

Additionally, check server startup logs for the Werkzeug debugger PIN.

Example commands to test the vulnerability after authentication include running OS commands such as:

  • `whoami` - to identify the application user.
  • `id` - to get user and group IDs.
  • `uname -a` - to retrieve system information.
Mitigation Strategies

The primary mitigation step is to disable debug mode in the MiroFish application to prevent exposure of the Werkzeug debugger.

Specifically, change the DEBUG setting in the backend/app/config.py file from enabling debug mode by default:

  • From: `DEBUG = os.environ.get('FLASK_DEBUG', 'True').lower() == 'true'`
  • To: `DEBUG = os.environ.get('FLASK_DEBUG', 'False').lower() == 'true'`

This change will disable the Werkzeug debugger and mitigate the vulnerability.

Compliance Impact

CVE-2026-7041 allows unauthenticated attackers to gain full remote code execution on MiroFish 0.1.2 servers by exploiting the exposed Werkzeug debugger in debug mode. This leads to complete system compromise and data theft, including the exposure of sensitive files such as environment variables containing API keys.

Such unauthorized access and data disclosure can result in violations of data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information. The vulnerability's potential for data exfiltration and system compromise undermines the confidentiality and integrity of data, thereby impacting compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7041. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart