Description
Parseable before 2.9.2 contains an information disclosure vulnerability in the notification-target API endpoints that returns webhook tokens and basic-auth credentials in cleartext due to commented-out secret-masking functionality. Any authenticated user with the GetAlert action, including low-privilege reader roles, can recover credentials and internal endpoint URLs for all configured notification targets by querying GET /api/v1/targets or related endpoints.
Published: 2026-06-29
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authenticated user possessing the GetAlert capability, including low‑privilege reader roles, to retrieve webhook tokens and basic‑auth credentials in cleartext from the notification‑target API. By querying endpoints such as GET /api/v1/targets, the attacker gains full credential and URL disclosure for all configured notification targets, potentially enabling further compromise of downstream services. This flaw is a CWE‑522 information‑disclosure weakness.

Affected Systems

All Parseable installations running before v2.9.2 are affected. The vendor, Parseable HQ (parseablehq:parseable), released v2.9.2 to fix the issue. Any instance using versions earlier than v2.9.2, regardless of sub‑release, must be upgraded.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity. The EPSS score is unavailable, and the flaw is not listed in CISA KEV, suggesting no confirmed exploitation yet. Because the flaw requires only standard authenticated access with a low‑privilege role, it is relatively easy for any legitimate user in the system to exploit, making it a significant risk to credential secrecy and potential lateral movement.

Generated by OpenCVE AI on June 29, 2026 at 19:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Parseable to version 2.9.2 or later.
  • Restrict the GetAlert action to privileged users only or remove access for low‑privilege reader roles.
  • Disable or remove notification targets that use basic‑auth or webhook tokens until the issue is resolved.

Generated by OpenCVE AI on June 29, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Parseablehq
Parseablehq parseable
Vendors & Products Parseablehq
Parseablehq parseable

Tue, 30 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Parseable before 2.9.2 contains an information disclosure vulnerability in the notification-target API endpoints that returns webhook tokens and basic-auth credentials in cleartext due to commented-out secret-masking functionality. Any authenticated user with the GetAlert action, including low-privilege reader roles, can recover credentials and internal endpoint URLs for all configured notification targets by querying GET /api/v1/targets or related endpoints.
Title Parseable < 2.9.2 - Cleartext Credential Exposure in Notification Target API
Weaknesses CWE-522
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Parseablehq Parseable
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T13:56:43.248Z

Reserved: 2026-06-23T01:24:27.650Z

Link: CVE-2026-56783

cve-icon Vulnrichment

Updated: 2026-06-30T13:55:49.182Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T10:04:05Z

Weaknesses
  • CWE-522

    Insufficiently Protected Credentials