Description
Keygraph Shannon contains a hard-coded API key in its router configuration that, when the router component is enabled and exposed, allows network attackers to authenticate using the publicly known static key. An attacker able to reach the router port can proxy requests through the Shannon instance using the victim’s configured upstream provider API credentials, resulting in unauthorized API usage and potential disclosure of proxied request and response data. This vulnerability's general exploitability has been mitigated with the introduction of commit 023cc95.
Published: 2026-03-09
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized API Access and Potential Data Disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from a hard‑coded API key embedded in the router configuration of KeygraphHQ's Shannon application. When the router component is enabled and its port is reachable, an attacker can use the publicly known key to authenticate with the upstream provider’s API. This grants the attacker the ability to proxy requests through the Shannon instance, resulting in unauthorized API usage and the possible disclosure of both request and response data.

Affected Systems

KeygraphHQ Shannon, specifically the router component that is enabled and exposed to the network. No specific product version is listed in the CNA data; the issue applies to all releases containing the hard‑coded key until the fix commit is applied.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score of less than 1% suggests that the likelihood of exploitation in the wild is currently very low, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, an attacker who can reach the router port can fully authenticate to upstream services and manipulate or exfiltrate data. Exposure requires network connectivity to the router component; no additional credentials are needed beyond the static key. The risk is therefore confined to systems where the router feature is enabled and externally accessible.

Generated by OpenCVE AI on April 16, 2026 at 03:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a version based on commit 023cc95 or later where the hard‑coded API key has been removed.
  • Disable or restrict network access to the router port if the router functionality is not required for the deployment scenario.
  • Review and rotate upstream provider API credentials, and ensure they are stored securely and not hard‑coded or exposed in the application configuration.

Generated by OpenCVE AI on April 16, 2026 at 03:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Keygraphhq
Keygraphhq shannon
Vendors & Products Keygraphhq
Keygraphhq shannon

Mon, 09 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Keygraph Shannon contains a hard-coded API key in its router configuration that, when the router component is enabled and exposed, allows network attackers to authenticate using the publicly known static key. An attacker able to reach the router port can proxy requests through the Shannon instance using the victim’s configured upstream provider API credentials, resulting in unauthorized API usage and potential disclosure of proxied request and response data. This vulnerability's general exploitability has been mitigated with the introduction of commit 023cc95.
Title Keygraph Shannon Hard-coded Router API Key
Weaknesses CWE-798
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Keygraphhq Shannon
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T15:44:19.147Z

Reserved: 2026-03-03T17:24:13.913Z

Link: CVE-2026-29023

cve-icon Vulnrichment

Updated: 2026-03-12T14:56:01.324Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-09T18:16:22.727

Modified: 2026-03-11T13:53:47.157

Link: CVE-2026-29023

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T04:00:09Z

Weaknesses