CVE-2026-5128

Received
Published: 30 Mar 2026, 09:18
Last modified:30 Mar 2026, 09:42

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
10 CRITICAL
v4.0 (cve.org)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

30 Mar 2026, 09:18
Published
Vulnerability first disclosed
30 Mar 2026, 09:42
Last Modified
Vulnerability information updated

Description

A sensitive information exposure vulnerability exists in ArthurFiorette steam-trader 2.1.1. An unauthenticated attacker can send a request to the /users API endpoint to retrieve highly sensitive Steam account data, including the account username, password, identity secret, and shared secret. In addition, application logs expose authentication artifacts such as access tokens, refresh tokens, and session identifiers. This information allows an attacker to generate valid Steam Guard (2FA) codes, hijack authenticated sessions, and obtain full control over the affected Steam account, including unauthorized access to inventory and trading functionality. No fix is available because the repository is archived and no longer maintained.

CVSS Metrics

  • v4.0CRITICALScore: 10CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
  • v4.0CRITICALScore: 10CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • v3.1CRITICALScore: 10CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • v2.0HIGHScore: 10AV:N/AC:L/Au:N/C:C/I:C/A:C

Techniques & Countermeasures

  • CWE-200Exposure of Sensitive Information to an Unauthorized Actor

    The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

  • CWE-532Insertion of Sensitive Information into Log File

    The product writes sensitive information to a log file.

Affected Systems

  • arthurfiorettesteam-trader

    2.1.1

References (1)