Impact
The vulnerability allows an authenticated user possessing the GetAlert capability, including low‑privilege reader roles, to retrieve webhook tokens and basic‑auth credentials in cleartext from the notification‑target API. By querying endpoints such as GET /api/v1/targets, the attacker gains full credential and URL disclosure for all configured notification targets, potentially enabling further compromise of downstream services. This flaw is a CWE‑522 information‑disclosure weakness.
Affected Systems
All Parseable installations running before v2.9.2 are affected. The vendor, Parseable HQ (parseablehq:parseable), released v2.9.2 to fix the issue. Any instance using versions earlier than v2.9.2, regardless of sub‑release, must be upgraded.
Risk and Exploitability
The CVSS score of 7.1 indicates high severity. The EPSS score is unavailable, and the flaw is not listed in CISA KEV, suggesting no confirmed exploitation yet. Because the flaw requires only standard authenticated access with a low‑privilege role, it is relatively easy for any legitimate user in the system to exploit, making it a significant risk to credential secrecy and potential lateral movement.
OpenCVE Enrichment