CVE-2026-35467 - Vulnerability Details

- Private Key stored as extractable in browser IndexeDB

Description

The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials.

Published: 2026-04-02

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability occurs when API keys used by the temporary browser client are stored in IndexedDB without any protection, making them extractable through the browser’s JavaScript console or other error conditions. Because the encryption credentials can be read by anyone who can execute JavaScript in that context, an attacker can obtain the keys used for authenticating API calls, leading to credential compromise and potential unauthorized access to secure services.

Affected Systems

The affected component is the CERT/CC cveClient, specifically the encrypt-storage.js module that handles credential storage. No explicit version information is provided in the advisory, so all releases that deploy this module unchanged may be affected. Users of the client should verify whether their installation includes the unprotected storage behavior.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact, and the EPSS score below 1% suggests rare exploitation in the wild. The vulnerability is not yet listed in the CISA KEV catalog. Exploitation requires the attacker to run arbitrary JavaScript in the victim’s browser typically via a malicious script injected into a trusted page or by exploiting an existing web vulnerability, after which the attacker can read the unprotected credentials from IndexedDB.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

CERT/CC

cveClient/encrypt-storage.js

unaffected

Version	Status	Constraints
`0`	affected	< 1.1.15

Configuration 1 [-]

cpe:2.3:a:cmu:cveclient:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Cert/cc

Cveclient/encrypt-storage.js

100%

Version	Status	Scheme	Platform
`[0,1.1.15)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to a future version of cveClient that marks stored credentials as non‑extractable, such as the change referenced in the GitHub pull request.
If an update cannot be applied immediately, avoid storing sensitive credentials on the client side and use server‑side secure storage instead.
Disable or restrict access to the browser console in production environments to limit an attacker’s ability to run arbitrary JavaScript.
Perform code reviews to ensure that any credential handling follows secure storage practices and adheres to CWE‑522 guidelines.
Monitor API usage for anomalous patterns and rotate keys regularly to limit the impact of a potential credential compromise.

Generated by OpenCVE AI on April 3, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0001.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/CERTCC/cveClient/
https://github.com/CERTCC/cveClient/pull/39

History

Wed, 03 Jun 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cmu Cmu cveclient
CPEs		cpe:2.3:a:cmu:cveclient::::::::
Vendors & Products		Cmu Cmu cveclient

Fri, 03 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 03 Apr 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cert/cc Cert/cc cveclient/encrypt-storage.js
Vendors & Products		Cert/cc Cert/cc cveclient/encrypt-storage.js

Thu, 02 Apr 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials.
Title		Private Key stored as extractable in browser IndexeDB
Weaknesses		CWE-522
References		https://github.com/CERTCC/cveClient/ https://github.com/CERTCC/cveClient/pull/39

Subscriptions

Cert/cc Cveclient/encrypt-storage.js

Cmu Cveclient

MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2026-04-02T20:27:27.792Z

Updated: 2026-04-03T13:51:22.012Z

Reserved: 2026-04-02T20:09:50.057Z

Link: CVE-2026-35467

Vulnrichment

Updated: 2026-04-03T13:49:18.061Z

NVD

Status : Analyzed

Published: 2026-04-02T21:16:40.810

Modified: 2026-06-03T14:03:57.257

Link: CVE-2026-35467

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-03T21:17:11Z

Weaknesses

CWE-522

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object