CVE-2026-11347
Deferred Deferred - Pending Action
Hardcoded Cryptographic Keys and Weak IV Generation in linqi

Publication date: 2026-06-05

Last updated on: 2026-06-05

Assigner: 86c47df7-7d28-48da-920a-6423c52fd3da

Description
The linqi application contains hardcoded cryptographic keys. Additionally, the application uses a weak algorithm with a limited ASCII charset to dynamically generate Initialization Vectors (IVs) for AES/CBC encryption, making known-plaintext attacks feasible. An attacker with local access can leverage these vulnerabilities to decrypt sensitive obfuscated strings, including ConnectionString values containing database credentials from appsettings.json.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-05
Generated
2026-06-25
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-24
NVD
CVE-2026-11347
EUVD
EUVD-2026-34811
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linqi linqi_onpremise to 1.4.8.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-321 The product uses a hard-coded, unchangeable cryptographic key.
CWE-338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in linqi involves hardcoded cryptographic keys and weak IV generation for AES/CBC encryption, which can lead to the decryption of sensitive information such as database credentials. This exposure of sensitive data can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strong protection of personal and sensitive data to prevent unauthorized access.

Specifically, the ability for an attacker with local access to decrypt sensitive configuration data increases the risk of data breaches, which may result in non-compliance with data protection requirements and could lead to legal and financial consequences under these regulations.

Executive Summary

CVE-2026-11347 is a high-severity vulnerability in the linqi OnPremise application versions prior to 1.4.8.6. It involves the use of hardcoded cryptographic keys and a weak algorithm that generates Initialization Vectors (IVs) with a limited ASCII charset for AES/CBC encryption. This weak IV generation makes known-plaintext attacks feasible.

An attacker with local access to the system can exploit these weaknesses to decrypt sensitive obfuscated strings, such as ConnectionString values containing database credentials stored in appsettings.json.

Impact Analysis

This vulnerability can lead to unauthorized decryption of sensitive information, including database credentials, if an attacker gains local access to the affected system.

Such exposure can compromise the confidentiality and integrity of your data and systems, potentially allowing attackers to access databases or other protected resources.

Because the cryptographic protections are weakened, attackers can bypass encryption safeguards, increasing the risk of data breaches.

Detection Guidance

Detection of this vulnerability involves identifying the presence of hardcoded cryptographic keys and weak IV generation algorithms in the linqi OnPremise application binaries or source code.

You can check the version of the linqi OnPremise application installed on your system to see if it is prior to 1.4.8.6, which is vulnerable.

Commands to detect the vulnerability might include:

  • Check the installed version of linqi OnPremise: `linqi --version` or check the application metadata.
  • Search binaries or source code for hardcoded cryptographic keys using grep or strings, e.g., `strings linqi_binary | grep -i key`.
  • Look for weak IV generation patterns in the code if source code is available.
Mitigation Strategies

The primary immediate mitigation step is to update the linqi OnPremise application to version 1.4.8.6 or later, where this vulnerability has been fully resolved.

Until the update can be applied, restrict local access to the system to trusted users only, as the attack requires local access.

Review and rotate any potentially exposed database credentials found in appsettings.json or other configuration files.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11347. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart