CWE-522— Insufficiently Protected Credentials
1,429 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-522page 29 of 29
- CVE-2026-28961MEDIUMCVSS 4.6EG 4.62026-05-11
This issue was addressed with improved checks. This issue is fixed in macOS Tahoe 26.5. An attacker with physical access to a locked device may be able to view sensitive user information.
- CVE-2026-32171HIGHCVSS 8.8EG 8.82026-04-14
Insufficiently protected credentials in Azure Logic Apps allows an authorized attacker to elevate privileges over a network.
- CVE-2026-34262MEDIUMCVSS 5.0EG 5.02026-04-14
Information Disclosure Vulnerability in SAP HANA Cockpit and HANA Database Explorer
- CVE-2026-35155HIGHCVSS 7.1EG 7.12026-04-29
Dell iDRAC10, versions 1.20.70.50 and 1.30.05.10, contains an Insufficiently Protected Credentials vulnerability. A race condition vulnerability exists that could allow an authenticated low‑privileged attacker to gain elevated access.
- CVE-2026-35185HIGHCVSS 7.5EG 7.52026-04-06
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens (user_token), user activity, client …
- CVE-2026-35467HIGHCVSS 7.5EG 7.52026-04-02
The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials.
- CVE-2026-39462HIGHCVSS 8.1EG 8.12026-04-24
A vulnerability exists in SenseLive X3050’s web management interface in which password updates are not reliably applied due to improper handling of credential changes on the backend. After the device undergoes a factory restore using th…
- CVE-2026-39968HIGHCVSS 7.1EG 7.12026-05-22
TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the fix for GHSA-4xc5-wfwc-jw47 ("Credential Theft via Client-Side Script Execution and API Authorization Bypass") is incomplete. While the builder's getCredentials tRPC endp…
- CVE-2026-40173CRITICALCVSS 9.4EG 9.42026-04-15
Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without …
- CVE-2026-41266HIGHCVSS 7.5EG 7.52026-04-23
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration w…
- CVE-2026-41345MEDIUMCVSS 5.3EG 5.32026-04-23
OpenClaw before 2026.3.31 contains a credential exposure vulnerability in media download functionality that forwards Authorization headers across cross-origin redirects. Attackers can exploit this by crafting malicious cross-origin redirec…
- CVE-2026-41506MEDIUMCVSS 4.7EG 4.72026-05-08
go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This …
- CVE-2026-42295MEDIUMCVSS 4.9EG 4.92026-05-09
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the workflow executor logs all artifact repository credentials (S3 access keys, se…
- CVE-2026-42367MEDIUMCVSS 6.5EG 6.52026-05-04
A privilege escalation vulnerability exists in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to credentials leak. An attacker can visit a webpage to trigger this vuln…
- CVE-2026-42869CRITICALCVSS 10.0EG 10.02026-05-11
SOCFortress CoPilot focuses on providing a single pane of glass for all your security operations needs. Prior to 0.1.57, SOCFortress CoPilot ships a hardcoded JWT signing secret as a fallback value in backend/app/auth/utils.py:28 and ships…
- CVE-2026-42951MEDIUMCVSS 5.4EG 5.42026-05-29
An authenticated user can download a backup of the Danelec MacGregor Voyage Data Recorder device which includes account data and password hashes.
- CVE-2026-4387LOWCVSS 2.0EG 2.02026-05-29
StrongDM Desktop Application before 23.74.0 (Desktop Client before 53.77.0) on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a per-user state file located at C:\Users…
- CVE-2026-43992CRITICALCVSS 9.8EG 9.82026-05-12
JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, every MCP write tool (send_tokens, execute_contract, instantiate_contract, upload_wasm, ibc_transfer, etc.) accepted 'mnemonic: string' as an explicit too…
- CVE-2026-45091CRITICALCVSS 9.1EG 9.12026-05-12
sealed-env is a cross-stack, zero-trust secret management library for Node.js and Java/Spring Boot. In sealed-env enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator's literal TOTP secret in the JWS payload …
- CVE-2026-49379MEDIUMCVSS 6.5EG 6.52026-05-29
In JetBrains TeamCity before 2026.1 credentials could be exposed in thread names
- CVE-2026-6253MEDIUMCVSS 5.9EG 5.92026-05-13
curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs…
- CVE-2026-6345MEDIUMCVSS 6.5EG 6.52026-05-18
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail prevent disclosure of created user password which allows a malicious attacker to impersonate a user via the use of some of those passwords.. Mattermost Adviso…
- CVE-2026-6408LOWCVSS 2.7EG 2.72026-04-22
Tanium addressed an information disclosure vulnerability in Tanium Server.
- CVE-2026-6446MEDIUMCVSS 5.4EG 5.42026-05-02
The My Social Feeds – Social Feeds Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 1.0.4 via the 'ttp_get_accounts' AJAX action. This is due to the complete absence of aut…
- CVE-2026-7038LOWCVSS 3.3EG 3.32026-04-26
A weakness has been identified in tufantunc ssh-mcp up to 1.5.0. Impacted is an unknown function of the file src/index.ts of the component Command Line Handler. This manipulation causes insufficiently protected credentials. The attack is r…
- CVE-2026-7312CRITICALCVSS 10.0EG 10.02026-06-02
CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to 14.4.8152, and 15.0.8200 to 15.0.8234, and 15.1.8300 to 15.1.8335, 15.2.8400 to 15.2.8441, 15.3.8500 to 15.3.8531, and 15.4.86…
- CVE-2026-7313HIGHCVSS 8.7EG 8.72026-06-02
CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 8.0.5700 to 13.3.7652 allows a remote authenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. S…
- CVE-2026-8368MEDIUMCVSS 6.5EG 6.52026-05-12
LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects. On a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-su…
- CVE-2026-9395LOWCVSS 3.5EG 3.52026-05-24
A vulnerability was identified in Besen BS20 EV Charging Station up to 20260426. Affected is an unknown function of the component BLE/UDP. The manipulation leads to insufficiently protected credentials. The attack needs to be initiated wit…
Map vulnerabilities like CWE-522 to your infrastructure
EchelonGraph correlates every CVE — across CWE-522 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →