Compliance Impact

CVE-2026-50870 exposes sensitive configuration information, specifically Google Custom Search Engine credentials, to unauthorized users via the configuration endpoint and rendered preference states.

This exposure of sensitive information could potentially lead to non-compliance with data protection standards and regulations such as GDPR and HIPAA, which require safeguarding sensitive data and preventing unauthorized access.

However, the provided information does not explicitly state the direct impact on compliance with these standards or any regulatory consequences.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate the vulnerability in Whoogle Search v1.2.3, you should immediately restrict access to the /config endpoint to prevent unauthorized users from retrieving sensitive Google Custom Search Engine credentials.

Additionally, consider removing or rotating the exposed cse_api_key and cse_id credentials to limit potential misuse.

Avoid relying solely on the WHOOGLE_CONFIG_DISABLE=1 setting, as it does not prevent credential exposure in the /config response or rendered preference state.

If possible, upgrade to a patched version of Whoogle Search that addresses this information disclosure issue.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-50870 is an information disclosure vulnerability in Whoogle Search version 1.2.3. It allows attackers to obtain sensitive Google Custom Search Engine (CSE) credentials, specifically the API key and CSE ID, by sending a crafted GET request to the /config endpoint.

These credentials are exposed in the configuration and preference rendering paths, meaning that even non-administrative users can access them. The sensitive information may also appear in client-visible states such as form states or encoded preferences on other routes like / or /search.

Even if configuration changes are disabled via environment settings, the credentials remain exposed in the /config response and rendered preference state, leading to a read exposure of server-side configured API credentials to ordinary visitors.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to misuse your exposed Google Custom Search Engine credentials. Attackers can consume your CSE quota or incur usage charges against your Google CSE configuration.

Since the credentials are exposed to any visitor without administrative privileges, unauthorized users can exploit them outside the application, potentially leading to service disruption or unexpected costs.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending a crafted GET request to the /config endpoint of the Whoogle Search v1.2.3 instance and checking if sensitive Google Custom Search Engine credentials such as cse_api_key and cse_id are exposed in the response.

Additionally, inspecting the responses from the / or /search routes for client-visible state containing these credentials can help identify the vulnerability.

• Use a command like: curl -s http://<target-host>/config | grep -E 'cse_api_key|cse_id'
• Alternatively, use a browser or HTTP client to manually inspect the /config endpoint response for exposed credentials.

Useful 0 Not Useful 0