Description
Incorrect access control in the config.php component of Slah v1.5.0 and below allows unauthenticated attackers to access sensitive information, including active session credentials.
Published: 2026-04-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an incorrect access control in the config.php component of Slah. Because the file is accessible without authentication, an attacker can retrieve its contents, which contain sensitive data, including active session credentials. This flaw corresponds to improper access control (CWE‑284) and results in information exposure (CWE‑200). The exposure can compromise confidentiality and potentially allow further attacks if session data is grabbed.

Affected Systems

Slah version 1.5.0 and all earlier releases are affected. No additional product or version information is available from the CNA.

Risk and Exploitability

The CVE has a CVSS score of 7.5, does not report an EPSS score, and is not listed in the CISA KEV catalog, indicating no public exploitation data is known. Based on the description, it is inferred that an attacker can trigger the flaw by directly requesting the /config.php URL over HTTP, which would return the plaintext configuration file. Exploitability is low to moderate because it requires network access to the web server and no authentication is needed, but the impact is critical due to the sensitive data exposed.

Generated by OpenCVE AI on April 15, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest available patch or upgrade to a version newer than 1.5.0 that removes the unauthenticated access to config.php.
  • Configure the web server to deny HTTP access to the config.php file or move it outside the document root so it cannot be served to clients.
  • Ensure file permissions of config.php so that only system users, not the web server process, can read it.

Generated by OpenCVE AI on April 15, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Slah Cms
Slah Cms slah Cms
Vendors & Products Slah Cms
Slah Cms slah Cms

Wed, 15 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Access to Config File Exposes Session Credentials in Slah v1.5.0 and Earlier

Wed, 15 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description Incorrect access control in the config.php component of Slah v1.5.0 and below allows unauthenticated attackers to access sensitive information, including active session credentials.
References

Subscriptions

Slah Cms Slah Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-15T18:06:38.418Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-30994

cve-icon Vulnrichment

Updated: 2026-04-15T18:06:29.463Z

cve-icon NVD

Status : Received

Published: 2026-04-15T17:17:04.220

Modified: 2026-04-15T19:16:34.647

Link: CVE-2026-30994

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:12:53Z

Weaknesses