CVE-2026-63098
Gravedad CVSS v4.0:
MEDIA
Tipo:
CWE-306
Ausencia de autenticación para una función crítica
Fecha de publicación:
17/07/2026
Última modificación:
17/07/2026
Descripción
*** Pendiente de traducción *** TheHive through 4.1.24 contains an unauthenticated information disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration data by sending a GET request to the /api/status endpoint, which lacks authentication enforcement in the StatusCtrl.scala handler. Attackers can obtain the datastore attachment protection password, configured authentication providers, SSO settings, MFA capabilities, and clustered node addresses and roles without any credentials.
Impacto
Puntuación base 4.0
6.90
Gravedad 4.0
MEDIA
Puntuación base 3.x
5.30
Gravedad 3.x
MEDIA



