Back to overview

CVE-2026-63098

MEDIUM Exploitation: PoC
5.3
CVSS 3.1
Description
TheHive through 4.1.24 contains an unauthenticated information disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration data by sending a GET request to the /api/status endpoint, which lacks authentication enforcement in the StatusCtrl.scala handler. Attackers can obtain the datastore attachment protection password, configured authentication providers, SSO settings, MFA capabilities, and clustered node addresses and roles without any credentials.

Metadata

CVE ID
CVE-2026-63098
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-15 15:45 UTC
Published
2026-07-17 15:38 UTC
Last updated
2026-07-17 17:26 UTC
Primary CWE
CWE-306
Missing Authentication for Critical Function
Vendor / Product
TheHive-Project / TheHive
Sources
cve.org  ·  NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
yes
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
TheHive-Project TheHive 0 ≤ 4.1.24
Weakness (CWE)
CWESourceDescription
CWE-306 cna Missing Authentication for Critical Function
CVSS scores (2)
ScoreSeverityVersionSourceVector
6.9 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
5.3 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Back to overview