CVE-2026-32810

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-32810

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32810.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-32810

Aliases

GHSA-x5j2-fr4h-9p7g

Published

2026-03-20T22:40:49.237Z

Modified

2026-04-02T13:41:40.583048Z

Severity

4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N CVSS Calculator

Summary

Halloy has insecure file permissions on credential files

Details

Halloy is an IRC application written in Rust. In versions on *nix and macOS prior to commit f180e41061db393acf65bc99f5c5e7397586d9cb, halloy creates its config directory and files using default umask permissions, which typically results in 0644 on files and 0755 on directories. This allows any local user on the system to read plaintext credentials stored in config.toml or referenced password_file paths. Commit f180e41061db393acf65bc99f5c5e7397586d9cb patches the issue.

Database specific

{
    "cwe_ids": [
        "CWE-732"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32810.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/squidowl/halloy

Affected ranges

Type: GIT
Repo: https://github.com/squidowl/halloy
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f180e41061db393acf65bc99f5c5e7397586d9cb

Affected versions

2023.*

2023.2

2023.3

2023.4

2023.5

2024.*

2024.1

2024.10

2024.11

2024.12

2024.13

2024.14

2024.2

2024.3

2024.4

2024.5

2024.6

2024.7

2024.8

2024.9

2025.*

2025.1

2025.10

2025.11

2025.12

2025.2

2025.3

2025.4

2025.5

2025.6

2025.7

2025.8

2025.9

2026.*

2026.1

2026.1.1

2026.2

2026.3

2026.4

23.*

23.1-alpha1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32810.json"