CVE-2026-23846 - Vulnerability Details

- Tugtainer vulnerable to Password Exposure via URL Query Parameter

Description

Tugtainer is a self-hosted app for automating updates of Docker containers. In versions prior to 1.16.1, the password authentication mechanism transmits passwords via URL query parameters instead of the HTTP request body. This causes passwords to be logged in server access logs and potentially exposed through browser history, Referer headers, and proxy logs. Version 1.16.1 patches the issue.

Published: 2026-01-19

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Tugtainer, a self‑hosted Docker container automation tool, contains an authentication flaw in versions older than 1.16.1. The password supplied for authentication is appended to the request URL as a query string rather than being placed in the request body. Because the URL is logged by the server, it may appear in access logs, browser history, Referer headers, and proxy logs, resulting in the disclosure of user credentials. This weakness aligns with CWE‑598 – Exposing Sensitive Information Through an Improper Transfer Mechanism.

Affected Systems

The vulnerability affects all installations of Quenary Tugtainer versions earlier than 1.16.1. Administrators should review any deployment that has not been updated to 1.16.1 or later, regardless of the operating environment, as the flaw is present in all such releases.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, yet the EPSS score of less than 1 % suggests a low probability of exploitation. The vulnerability is not included in the CISA KEV catalog. Exploitation would most likely be passive, with an attacker gleaning credentials from server logs, search histories, or forwarded Referer headers. No direct remote code execution or privilege escalation is possible, but the exposure of authentication secrets can lead to account compromise, unauthorized access to container registries, and potential lateral movement within an environment.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Quenary

tugtainer

affected

Version	Status	Constraints
`< 1.16.1`	affected	—

Configuration 1 [-]

cpe:2.3:a:quenary:tugtainer:*:*:*:*:*:docker:*:*

No data.

Vendor	Product	Confidence	Versions
Quenary	Tugtainer	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Quenary Tugtainer to version 1.16.1 or later.
Immediately purge any server access logs, browser histories, or proxy logs that may contain the exposed passwords.
Restrict read and write permissions on log files to prevent unauthorized access, and configure logging to exclude URL query parameters.
As a temporary countermeasure, disable password authentication or replace it with a token‑based or certificate‑based authentication method until the patch is applied.
Enforce HTTPS for all communication to prevent eavesdropping of authentication traffic.

Generated by OpenCVE AI on April 18, 2026 at 05:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0012.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Quenary/tugtainer/commit/9d23bf40ac1d39005582abfcf0a84753a4e29d52
https://github.com/Quenary/tugtainer/security/advisories/GHSA-f2qf-f544-xm4p

History

Thu, 05 Feb 2026 18:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:quenary:tugtainer::::::docker::*

Tue, 20 Jan 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 20 Jan 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Quenary Quenary tugtainer
Vendors & Products		Quenary Quenary tugtainer

Mon, 19 Jan 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		Tugtainer is a self-hosted app for automating updates of Docker containers. In versions prior to 1.16.1, the password authentication mechanism transmits passwords via URL query parameters instead of the HTTP request body. This causes passwords to be logged in server access logs and potentially exposed through browser history, Referer headers, and proxy logs. Version 1.16.1 patches the issue.
Title		Tugtainer vulnerable to Password Exposure via URL Query Parameter
Weaknesses		CWE-598
References		https://github.com/Quenary/tugtainer/commit/9d23bf40ac1d39005582abfcf0a84753a4e29d52 https://github.com/Quenary/tugtainer/security/advisories/GHSA-f2qf-f544-xm4p
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}`

Subscriptions

Quenary Tugtainer

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-19T19:42:35.581Z

Updated: 2026-01-20T14:40:03.105Z

Reserved: 2026-01-16T15:46:40.843Z

Link: CVE-2026-23846

Vulnrichment

Updated: 2026-01-20T14:39:55.824Z

NVD

Status : Analyzed

Published: 2026-01-19T20:15:49.243

Modified: 2026-02-05T18:44:54.550

Link: CVE-2026-23846

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T05:15:15Z

Weaknesses

CWE-598

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object