CVE-2026-29872 β A cross-session information disclosure vulnerability exists in theβ¦
Image via opengraph.githubassets.com
π¨ CVE-2026-29872 A cross-session information disclosure vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 (2026-01-19). The affected Streamlit-based GitHub MCP Agent stores user-supplied API tokens in process-wide environment variables using os.
What This Means For You
- New vulnerability disclosed β verify if your stack is exposed.
- New tool or resource available β evaluate for your security workflow.
- Phishing or social engineering activity β brief your users and SOC team.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-29872 | Information Disclosure | awesome-llm-apps project, commit e46690f99c3f08be80a9877fab52acacf7ab8251. Vulnerability in Streamlit-based GitHub MCP Agent storing API tokens in process-wide environment variables using os.environ without session isolation. |
| CVE-2026-29872 | Misconfiguration | awesome-llm-apps project, commit e46690f99c3f08be80a9877fab52acacf7ab8251. Improper session isolation in Streamlit-based GitHub MCP Agent leading to exposure of sensitive information like API tokens. |
Source & Attribution
| Source Platform | Telegram |
| Channel | CVE Notify |
| Published | April 06, 2026 at 19:26 UTC |
This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.
Believe this infringes your rights? Submit a takedown request.
Related coverage
BookingPress Pro Plugin: Critical RCE via Unauthenticated File Upload
CVE-2026-6960 β The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in...
CVE-2026-22678 β The Email Template Description Field Of The System And Serve Cross-Site Scripting (XSS)
CVE-2026-22678 β Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that...
LiteLLM Privilege Escalation: User Role Manipulation Grants Admin Access (CVE-2026-47102)
CVE-2026-47102 β LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to...