CVE-2026-63098
Received Received - Intake

TheHive Unauthenticated Information Disclosure Vulnerability

Vulnerability report for CVE-2026-63098, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulnCheck

Description

TheHive through 4.1.24 contains an unauthenticated information disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration data by sending a GET request to the /api/status endpoint, which lacks authentication enforcement in the StatusCtrl.scala handler. Attackers can obtain the datastore attachment protection password, configured authentication providers, SSO settings, MFA capabilities, and clustered node addresses and roles without any credentials.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
thehive thehive to 4.1.24 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-63098 is an unauthenticated information disclosure vulnerability in TheHive, a security incident response platform. It allows attackers to retrieve sensitive configuration data by sending a GET request to the /api/status endpoint without any credentials. Exposed data includes the datastore attachment protection password, authentication providers, SSO settings, MFA capabilities, and clustered node addresses and roles.

Detection Guidance

To detect this vulnerability, check if unauthenticated requests to the /api/status endpoint return sensitive configuration data. Use curl to send a GET request to http://<target>/api/status and inspect the response for exposed passwords, authentication providers, SSO settings, or cluster details. Example command: curl -v http://<target>/api/status

For the second vulnerability, test if authenticated users can access attachments from other organizations by querying /api/v0/datastore/{id} or /api/v0/datastorezip/{id} with known content-hash identifiers.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive configuration details and potentially allow attackers to download malware attachments or forensic files if they obtain the attachment protection password through other means. In multi-tenant deployments, it may enable cross-organization attachment disclosure, exposing case evidence to unauthorized users.

Compliance Impact

This vulnerability could lead to non-compliance with GDPR and HIPAA due to unauthorized access to sensitive data. Exposure of authentication providers, SSO settings, and MFA capabilities may compromise user privacy and authentication security. The datastore attachment protection password could allow access to malware samples or forensic files containing personal or health data, violating confidentiality requirements.

Mitigation Strategies

Immediately upgrade TheHive to a patched version beyond 4.1.24. If upgrading is not possible, restrict access to the /api/status endpoint by implementing authentication checks or IP whitelisting. Disable cross-organization attachment access by enforcing object-level authorization in AttachmentSrv.visible.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-63098. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart