Information Disclosure in Parseable via Notification API

Executive Summary

CVE-2026-56783 is an information disclosure vulnerability in Parseable versions before 2.9.2. The issue occurs in the notification-target API endpoints, where webhook tokens and basic-auth credentials are returned in cleartext because the secret-masking functionality was commented out and thus disabled.

Any authenticated user with the GetAlert permission, including low-privilege reader roles, can query endpoints like GET /api/v1/targets to retrieve sensitive credentials and internal endpoint URLs for all configured notification targets.

The root cause is that the code responsible for masking secrets was intentionally commented out, leading to raw serialization of sensitive data in API responses.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have significant security impacts because it exposes sensitive credentials such as webhook tokens, basic-auth passwords, and internal endpoint URLs to any authenticated user with minimal privileges.

• Attackers or unauthorized users can impersonate the deployment to external systems like PagerDuty or Slack by using the exposed credentials.
• It facilitates lateral movement within internal networks by revealing internal endpoint URLs and credentials.
• Even low-privilege users with read access can exploit this vulnerability to gain access to sensitive information, increasing the risk of data breaches and unauthorized actions.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by querying the notification-target API endpoints, specifically the GET /api/v1/targets endpoint, to check if webhook tokens, basic-auth credentials, or internal endpoint URLs are returned in cleartext.

Any authenticated user with the GetAlert permission, including low-privilege reader roles, can perform this check.

A suggested command to detect the vulnerability is to send an authenticated HTTP GET request to the /api/v1/targets endpoint and inspect the response for exposed credentials.

• curl -H "Authorization: Bearer <token>" https://<parseable-server>/api/v1/targets

If the response contains webhook tokens, basic-auth credentials, or internal URLs in plaintext, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Parseable to version 2.9.2 or later, where the credential masking functionality has been restored and strengthened.

This update ensures that webhook tokens, basic-auth credentials, and other sensitive data are properly masked in API responses.

If upgrading immediately is not possible, restrict access to the /api/v1/targets endpoint to only trusted users and roles that absolutely require it, minimizing exposure.

Additionally, review and re-enable any secret-masking helpers or middleware that redact sensitive information in API responses.

Monitor for any unauthorized access or suspicious activity related to notification target credentials.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability exposes webhook tokens and basic-auth credentials in cleartext to any authenticated user with low privileges, allowing recovery of sensitive credentials and internal endpoint URLs.

Such exposure of sensitive authentication credentials can lead to unauthorized access and impersonation of the deployment to external systems, which may result in data breaches or unauthorized data access.

This kind of information disclosure can negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and credentials to prevent unauthorized access and ensure data confidentiality.

Useful 0 Not Useful 0