Description
The linqi application contains hardcoded cryptographic keys. Additionally, the application uses a weak algorithm with a limited ASCII charset to dynamically generate Initialization Vectors (IVs) for AES/CBC encryption, making known-plaintext attacks feasible. An attacker with local access can leverage these vulnerabilities to decrypt sensitive obfuscated strings, including ConnectionString values containing database credentials from appsettings.json.
Published: 2026-06-05
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linqi application embeds cryptographic keys directly in its codebase and constructs AES/CBC initialization vectors using a limited ASCII character set. This combination renders the encryption scheme vulnerable to known‑plaintext attacks. An adversary who gains local access can exploit the fixed keys and predictable IVs to decrypt obfuscated strings, including database connection strings stored in appsettings.json, thereby exposing credentials and related sensitive data.

Affected Systems

The affected product is Linqi developed by linqi GmbH. No specific version information was supplied, indicating that all releases potentially contain the hardcoded keys and weak IV algorithm.

Risk and Exploitability

The CVSS score of 8.5 reflects a high severity vulnerability. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. The attack is inferred to require local access; attackers with the ability to run code on the target system can directly read and decrypt configuration values. The combination of hardcoded keys and predictable IVs makes large‑scale exploitation feasible if local foothold is achieved.

Generated by OpenCVE AI on June 5, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor's security patch that removes hardcoded cryptographic keys and replaces them with securely generated, dynamically provided keys.
  • Update the application to generate AES/CBC IVs using a cryptographically secure random number generator, ensuring 16‑byte IVs drawn from the full byte range rather than a limited ASCII set.
  • Move all secrets, including connection strings and cryptographic keys, to a protected secrets store or inject them as environment variables, eliminating hardcoded credentials from the codebase.

Generated by OpenCVE AI on June 5, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
References

Fri, 05 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Title Hardcoded Cryptographic Keys and Weak IV Generation in Linqi Application Hardcoded Cryptographic Keys and Weak IV Generation in linqi
References

Fri, 05 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Linqi
Linqi linqi
Vendors & Products Linqi
Linqi linqi

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Description The linqi application contains hardcoded cryptographic keys. Additionally, the application uses a weak algorithm with a limited ASCII charset to dynamically generate Initialization Vectors (IVs) for AES/CBC encryption, making known-plaintext attacks feasible. An attacker with local access can leverage these vulnerabilities to decrypt sensitive obfuscated strings, including ConnectionString values containing database credentials from appsettings.json.
Title Hardcoded Cryptographic Keys and Weak IV Generation in Linqi Application
Weaknesses CWE-321
CWE-338
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Linqi Linqi
cve-icon MITRE

Status: PUBLISHED

Assigner: linqi

Published:

Updated: 2026-06-05T20:22:25.302Z

Reserved: 2026-06-05T08:52:47.208Z

Link: CVE-2026-11347

cve-icon Vulnrichment

Updated: 2026-06-05T20:22:21.025Z

cve-icon NVD

Status : Deferred

Published: 2026-06-05T11:16:34.627

Modified: 2026-06-05T16:07:31.547

Link: CVE-2026-11347

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T11:30:39Z

Weaknesses
  • CWE-321

    Use of Hard-coded Cryptographic Key

  • CWE-338

    Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)