Description
A vulnerability was determined in kalcaddle kodbox 1.64. Impacted is the function shareSafeGroup of the file /workspace/source-code/app/controller/explorer/shareOut.class.php of the component Site-level API key Handler. This manipulation of the argument sk causes use of hard-coded cryptographic key
. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-23
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: API key compromise through hard‑coded cryptographic key in the Site‑level API key handler
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in kalcaddle Kodbox 1.64, specifically the shareSafeGroup() function of the shareOut.class.php component. Manipulation of the sk argument forces the function to use a hard‑coded cryptographic key, allowing an attacker who can influence this parameter to generate or read API keys that the system would normally secure. This flaw, a clear‑text usage of a secret (CWE‑320 and CWE‑321), enables unauthorized use of the API, potentially facilitating data export or further compromise of the Kodbox instance.

Affected Systems

kalcaddle’s Kodbox product, version 1.64, is affected. The flaw is limited to the shareOut.class.php controller and the shareSafeGroup API endpoint; newer or earlier versions have not been reported as impacted.

Risk and Exploitability

The CVSS base score of 6.3 indicates medium severity, yet the vulnerability requires remote initiation with a complex exploitation path, making real‑world attacks less likely at present. The EPSS score is unavailable and the issue is not listed in CISA’s KEV catalog. The attack vector would be over the network to the vulnerable endpoint, but the complexity and lack of publicly available exploit scripts reduce the immediate exploitation risk.

Generated by OpenCVE AI on March 23, 2026 at 15:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑supplied patch or upgrade Kodbox to a later version that removes the hard‑coded key
  • If a patch is unavailable, block or restrict external access to the shareSafeGroup endpoint using firewall rules or application‑level controls
  • Audit and rotate all existing API keys associated with the Kodbox instance to prevent potential misuse
  • Monitor application logs for abnormal activity related to the shareSafeGroup API to detect any attempted exploitation

Generated by OpenCVE AI on March 23, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Kalcaddle
Kalcaddle kodbox
Vendors & Products Kalcaddle
Kalcaddle kodbox

Mon, 23 Mar 2026 13:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in kalcaddle kodbox 1.64. Impacted is the function shareSafeGroup of the file /workspace/source-code/app/controller/explorer/shareOut.class.php of the component Site-level API key Handler. This manipulation of the argument sk causes use of hard-coded cryptographic key . The attack may be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Title kalcaddle kodbox Site-level API key shareOut.class.php shareSafeGroup hard-coded key
Weaknesses CWE-320
CWE-321
References
Metrics cvssV2_0

{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.7, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Kalcaddle Kodbox
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-25T14:06:30.268Z

Reserved: 2026-03-22T11:40:12.546Z

Link: CVE-2026-4588

cve-icon Vulnrichment

Updated: 2026-03-25T14:06:20.097Z

cve-icon NVD

Status : Deferred

Published: 2026-03-23T13:16:31.533

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-4588

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:49:08Z

Weaknesses