CVE-2026-29872 β A cross-session information disclosure vulnerability exists in theβ¦
Image via opengraph.githubassets.com
π¨ CVE-2026-29872 A cross-session information disclosure vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 (2026-01-19). The affected Streamlit-based GitHub MCP Agent stores user-supplied API tokens in process-wide environment variables using os.
security-research/CVE-2026-29872.md at main Β· lilmingwa13/security-research
github.com
What This Means For You
- New vulnerability disclosed β verify if your stack is exposed.
- New tool or resource available β evaluate for your security workflow.
- Phishing or social engineering activity β brief your users and SOC team.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-29872 | Information Disclosure | awesome-llm-apps project, commit e46690f99c3f08be80a9877fab52acacf7ab8251. Vulnerability in Streamlit-based GitHub MCP Agent storing API tokens in process-wide environment variables using os.environ without session isolation. |
| CVE-2026-29872 | Misconfiguration | awesome-llm-apps project, commit e46690f99c3f08be80a9877fab52acacf7ab8251. Improper session isolation in Streamlit-based GitHub MCP Agent leading to exposure of sensitive information like API tokens. |
Source & Attribution
| Source Platform | Telegram |
| Channel | CVE Notify |
| Channel ID | 1129491012 |
| Message ID | 158166 |
| Published | April 06, 2026 at 19:26 UTC |
| Original Link | https://github.com/lilmingwa13/security-research/blob/mai... |
This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.
Believe this infringes your rights? Submit a takedown request.
Found this interesting? Follow us on LinkedIn to stay ahead.
Share