CVE-2026-7166
Received Received - Intake
Sensitive Data Exposure in API and Local Database

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
Vulnerability involving the exposure of sensitive data provided without adequate protection. The API exposes email and phone number data from the ‘email’ and ‘telefon’ fields. This vulnerability is also present in the local database, as it contains accessible sensitive information such as data on minors and municipal users. Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to gain access to sensitive information and data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-7166
EUVD
EUVD-2026-38236
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves the exposure of sensitive data without adequate protection. Specifically, an API exposes email and phone number data from the 'email' and 'telefon' fields. Additionally, the local database contains accessible sensitive information, including data on minors and municipal users. An unauthenticated remote attacker could exploit this vulnerability to gain access to this sensitive information.

Compliance Impact

This vulnerability involves the exposure of sensitive personal data such as email addresses, phone numbers, and information about minors and municipal users without adequate protection.

Such exposure of sensitive data could lead to non-compliance with common data protection standards and regulations like GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized access.

Failure to protect this data adequately may result in violations of these regulations, potentially leading to legal penalties, loss of trust, and other compliance-related consequences.

Impact Analysis

The impact of this vulnerability is significant because it allows an unauthenticated remote attacker to access sensitive personal information such as emails, phone numbers, and data related to minors and municipal users. This exposure can lead to privacy violations, identity theft, targeted attacks, and potential misuse of the exposed data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7166. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart