CVE-2026-50870
Deferred Deferred - Pending Action

Information Disclosure in Whoogle Search Configuration Endpoint

Vulnerability report for CVE-2026-50870, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-16

Assigner: MITRE

Description

An information disclosure vulnerability in the configuration endpoint of Ben Busby whoogle-search v1.2.3 allows attackers to obtain sensitive information via a crafted GET request.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-16
Generated
2026-07-06
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ben_busby whoogle_search 1.2.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

CVE-2026-50870 exposes sensitive configuration information, specifically Google Custom Search Engine credentials, to unauthorized users via the configuration endpoint and rendered preference states.

This exposure of sensitive information could potentially lead to non-compliance with data protection standards and regulations such as GDPR and HIPAA, which require safeguarding sensitive data and preventing unauthorized access.

However, the provided information does not explicitly state the direct impact on compliance with these standards or any regulatory consequences.

Mitigation Strategies

To mitigate the vulnerability in Whoogle Search v1.2.3, you should immediately restrict access to the /config endpoint to prevent unauthorized users from retrieving sensitive Google Custom Search Engine credentials.

Additionally, consider removing or rotating the exposed cse_api_key and cse_id credentials to limit potential misuse.

Avoid relying solely on the WHOOGLE_CONFIG_DISABLE=1 setting, as it does not prevent credential exposure in the /config response or rendered preference state.

If possible, upgrade to a patched version of Whoogle Search that addresses this information disclosure issue.

Executive Summary

CVE-2026-50870 is an information disclosure vulnerability in Whoogle Search version 1.2.3. It allows attackers to obtain sensitive Google Custom Search Engine (CSE) credentials, specifically the API key and CSE ID, by sending a crafted GET request to the /config endpoint.

These credentials are exposed in the configuration and preference rendering paths, meaning that even non-administrative users can access them. The sensitive information may also appear in client-visible states such as form states or encoded preferences on other routes like / or /search.

Even if configuration changes are disabled via environment settings, the credentials remain exposed in the /config response and rendered preference state, leading to a read exposure of server-side configured API credentials to ordinary visitors.

Impact Analysis

This vulnerability can impact you by allowing attackers to misuse your exposed Google Custom Search Engine credentials. Attackers can consume your CSE quota or incur usage charges against your Google CSE configuration.

Since the credentials are exposed to any visitor without administrative privileges, unauthorized users can exploit them outside the application, potentially leading to service disruption or unexpected costs.

Detection Guidance

This vulnerability can be detected by sending a crafted GET request to the /config endpoint of the Whoogle Search v1.2.3 instance and checking if sensitive Google Custom Search Engine credentials such as cse_api_key and cse_id are exposed in the response.

Additionally, inspecting the responses from the / or /search routes for client-visible state containing these credentials can help identify the vulnerability.

  • Use a command like: curl -s http://<target-host>/config | grep -E 'cse_api_key|cse_id'
  • Alternatively, use a browser or HTTP client to manually inspect the /config endpoint response for exposed credentials.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50870. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart