Description
The Librarian `supervisord` status page can be retrieved by the `web_fetch` tool, which can be used to retrieve running processes within TheLibrarian backend. The vendor has fixed the vulnerability in all affected versions.
Published: 2026-01-16
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in how TheLibrarian’s supervisord status page can be fetched via the web_fetch tool, allowing entities that control web_fetch to enumerate running processes on the backend. This disclosure can reveal internal application state, potentially aiding further attacks or providing insight into system configuration. The weakness corresponds to inadequate protection of sensitive process information.

Affected Systems

This issue affects TheLibrarian.io’s TheLibrarian service. All versions of the product are considered impacted until the vendor releases a fix. No specific version range is listed, but the vendor has confirmed a fix in all affected versions.

Risk and Exploitability

The CVSS base score of 7.3 indicates a high severity potential impact. Although the EPSS score is below 1%, indicating low current exploitation probability, the vulnerability remains exploitable without authentication if the web_fetch path is reachable. The vulnerability is not yet present in the CISA KEV catalog. An attacker who can send crafted requests to the status page—likely through web_fetch—could retrieve the process list. Mitigation requires updating to the vendor’s patched release or implementing network controls to block unauthenticated access to the endpoint.

Generated by OpenCVE AI on April 18, 2026 at 05:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update TheLibrarian to the latest vendor‑supplied version that contains the fix for the supervisord status page exposure.
  • If an immediate upgrade is not feasible, block or restrict external access to the supervisord status endpoint or disable the web_fetch tool to prevent unauthorized process disclosures.
  • Continuously monitor network traffic and logs for unexpected access to the status page, and consider adding authentication or IP whitelisting to further safeguard the endpoint.

Generated by OpenCVE AI on April 18, 2026 at 05:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 06:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Fri, 23 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Thelibrarian the Librarian
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:thelibrarian:the_librarian:-:*:*:*:*:*:*:*
Vendors & Products Thelibrarian the Librarian

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Thelibrarian
Thelibrarian thelibrarian
Vendors & Products Thelibrarian
Thelibrarian thelibrarian

Fri, 16 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 13:00:00 +0000

Type Values Removed Values Added
Description The Librarian `supervisord` status page can be retrieved by the `web_fetch` tool, which can be used to retrieve running processes within TheLibrarian backend. The vendor has fixed the vulnerability in all affected versions.
Title CVE-2026-0615
References

Subscriptions

Thelibrarian The Librarian Thelibrarian
cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-01-16T14:38:37.462Z

Reserved: 2026-01-05T17:41:40.682Z

Link: CVE-2026-0615

cve-icon Vulnrichment

Updated: 2026-01-16T14:38:29.149Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-16T13:16:11.873

Modified: 2026-01-23T16:59:52.490

Link: CVE-2026-0615

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:00:08Z

Weaknesses