Description
Halloy is an IRC application written in Rust. In versions on \*nix and macOS prior to commit f180e41061db393acf65bc99f5c5e7397586d9cb, halloy creates its config directory and files using default umask permissions, which typically results in `0644` on files and `0755` on directories. This allows any local user on the system to read plaintext credentials stored in `config.toml` or referenced `password_file` paths. Commit f180e41061db393acf65bc99f5c5e7397586d9cb patches the issue.
Published: 2026-03-20
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local read of plaintext credentials
Action: Apply patch
AI Analysis

Impact

Halloy is an IRC client that stores user credentials in plain text within its configuration files. In versions of Halloy running on Linux and macOS before the commit f180e41061db393acf65bc99f5c5e7397586d9cb, the application creates its config directory and files using the system's default umask. This results in 0644 permissions on files and 0755 on directories, allowing any local user to read the contents of config.toml or any password_file referenced therein. The vulnerability therefore represents a confidentiality breach for local users, exposing potentially sensitive authentication data to the entire local user base.

Affected Systems

The affected product is Squidowl Halloy. All Halloy releases on Unix-like systems and macOS that run before the patch commit f180e41061db393acf65bc99f5c5e7397586d9cb are impacted. No specific version numbers are listed in the CNA data; the fix is applied in the mentioned commit or any later releases that include the change.

Risk and Exploitability

The CVSS score of 4.8 categorizes the issue as moderate severity, reflecting the local nature of the attack vector. The EPSS score is below 1%, indicating that exploitation is unlikely to occur at scale and there are no publicly known exploits at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a user to have local access; an attacker could read the default config files, revealing stored credentials. Because the flaw does not impact remote users, the overall risk to environments with strict local user isolation is reduced, but any shared or privileged system remains vulnerable until patched.

Generated by OpenCVE AI on March 23, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Halloy to version containing commit f180e41061db393acf65bc99f5c5e7397586d9cb or later.
  • If an immediate upgrade is not possible, change the permissions of the config directory and its files to 0700 and 0600 respectively, and place any credential files in a secure location.
  • Remove or delete any plaintext credential files that were previously accessible.
  • Verify the operating system’s umask and ensure it does not grant group or world read permissions to sensitive files if Halloy is reinstalled.

Generated by OpenCVE AI on March 23, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Halloy
Halloy halloy
CPEs cpe:2.3:a:halloy:halloy:*:*:*:*:*:*:*:*
Vendors & Products Halloy
Halloy halloy
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Squidowl
Squidowl halloy
Vendors & Products Squidowl
Squidowl halloy

Fri, 20 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Description Halloy is an IRC application written in Rust. In versions on \*nix and macOS prior to commit f180e41061db393acf65bc99f5c5e7397586d9cb, halloy creates its config directory and files using default umask permissions, which typically results in `0644` on files and `0755` on directories. This allows any local user on the system to read plaintext credentials stored in `config.toml` or referenced `password_file` paths. Commit f180e41061db393acf65bc99f5c5e7397586d9cb patches the issue.
Title Halloy has insecure file permissions on credential files
Weaknesses CWE-732
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Halloy Halloy
Squidowl Halloy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-23T21:41:38.612Z

Reserved: 2026-03-16T17:35:36.696Z

Link: CVE-2026-32810

cve-icon Vulnrichment

Updated: 2026-03-23T21:01:06.941Z

cve-icon NVD

Status : Modified

Published: 2026-03-20T23:16:44.863

Modified: 2026-03-23T22:16:28.183

Link: CVE-2026-32810

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:34:12Z

Weaknesses