Description
Proxy server in Graph Explorer before 3.0.1 falls back to HTTP when certificate files are missing, which might allow remote threat actors to obtain sensitive information via interception of requests intended to be sent over HTTPS.



To remediate this issue, users should upgrade to Graph Explorer v3.0.1 or later.
Published: 2026-06-02
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability permits a proxy server in Graph Explorer versions prior to 3.0.1 to automatically downgrade secure HTTP requests to insecure HTTP when required certificate files are missing. As a result, traffic that should have been encrypted can be captured by an attacker, leading to exposure of sensitive data such as authentication tokens, query parameters, or user credentials. The weakness is classified as CWE-319: Clearance of Sensitive Information Through the Use of an Insecure or Weak Cryptographic Protocol.

Affected Systems

Affected systems include AWS Graph Explorer for all deployments using versions before 3.0.1. The vulnerability is tied to the product’s handling of TLS certificates and has no scope beyond the proxy service itself, as it does not allow arbitrary code execution or privilege escalation.

Risk and Exploitability

The CVSS score of 8.2 marks this as high severity. Because the EPSS score is not provided, the current estimate of exploitation probability is unknown; however, the vulnerability is publicly documented and lacks a mitigated reference, suggesting that exploitation is plausible with proper network visibility. The issue is not listed in CISA’s KEV catalog. The likely attack vector is remote: an attacker who can intercept or observe traffic to the proxy can capture the downgraded HTTP stream, provided that a traffic monitoring solution is in place. The exploitation requires no user interaction, and no special application privileges are needed beyond ability to observe network traffic.

Generated by OpenCVE AI on June 3, 2026 at 03:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Graph Explorer to version 3.0.1 or later
  • Configure the proxy to ensure that certificate files are present and correctly referenced before starting; if certificates are missing, the service should refuse to start or reject connections
  • If an immediate upgrade is not possible, implement a network-level policy that blocks or logs any HTTP traffic originating from Graph Explorer to prevent inadvertent data leakage

Generated by OpenCVE AI on June 3, 2026 at 03:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description Proxy server in Graph Explorer before 3.0.1 falls back to HTTP when certificate files are missing, which might allow remote threat actors to obtain sensitive information via interception of requests intended to be sent over HTTPS. To remediate this issue, users should upgrade to Graph Explorer v3.0.1 or later.
Title HTTPS Fallback to HTTP in Graph Explorer
First Time appeared Aws
Aws graph Explorer
Weaknesses CWE-319
CPEs cpe:2.3:a:aws:graph_explorer:*:*:*:*:*:*:*:*
Vendors & Products Aws
Aws graph Explorer
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Aws Graph Explorer
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-06-02T19:08:01.019Z

Reserved: 2026-06-01T18:25:09.382Z

Link: CVE-2026-10584

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-02T20:16:31.757

Modified: 2026-06-02T20:16:31.757

Link: CVE-2026-10584

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T04:00:13Z

Weaknesses