CVE-2026-63098 in TheHive
Summary
by MITRE • 07/17/2026
TheHive through 4.1.24 contains an unauthenticated information disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration data by sending a GET request to the /api/status endpoint, which lacks authentication enforcement in the StatusCtrl.scala handler. Attackers can obtain the datastore attachment protection password, configured authentication providers, SSO settings, MFA capabilities, and clustered node addresses and roles without any credentials.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
TheHive version 4.1.24 and earlier contains a critical unauthenticated information disclosure vulnerability that fundamentally undermines the platform's security posture. This vulnerability exists within the StatusCtrl.scala handler where the /api/status endpoint fails to enforce proper authentication mechanisms, allowing any remote attacker to access sensitive system configuration data without requiring valid credentials or authentication tokens. The flaw represents a classic failure in access control implementation where the system assumes that certain status information should remain publicly accessible despite containing highly sensitive operational details.
The technical exploitation of this vulnerability occurs through a simple GET request to the /api/status endpoint, which demonstrates how insufficient input validation and authentication checks can create severe security implications. Attackers can retrieve comprehensive information about the system's datastore configuration including attachment protection passwords that control access to stored evidence and attachments. The vulnerability also exposes configured authentication providers which reveals whether the system uses local authentication, ldap, oauth, or other third-party identity management systems. Additionally, SSO settings are disclosed, providing attackers with critical information about single sign-on configurations that may be leveraged for further attacks.
The operational impact of this vulnerability extends beyond simple information disclosure as it provides attackers with detailed insights into the system's architecture and deployment configuration. Clustered node addresses and roles reveal the distributed nature of the deployment which could enable attackers to target specific nodes or understand the overall system topology. This information can be used to plan more sophisticated attacks including targeted denial-of-service attempts against critical cluster nodes or exploitation of specific vulnerabilities in particular node configurations. The exposure of MFA capabilities indicates whether multi-factor authentication is implemented, potentially revealing weaknesses in the overall authentication strategy.
This vulnerability aligns with CWE-306 (Missing Authentication for Critical Function) and represents a failure in implementing proper access control mechanisms as outlined in the OWASP Top Ten 2021 category A07: Identification and Authentication Failures. The flaw also maps to ATT&CK technique T1213.002 (Data from Information Repositories) where adversaries collect information about system configurations to inform their attack strategies. Organizations using TheHive in production environments face significant risk as this vulnerability can be exploited without any specialized tools or advanced knowledge, making it particularly dangerous in environments where threat actors actively scan for such misconfigurations.
The recommended mitigations include immediate implementation of authentication enforcement on the /api/status endpoint through proper access control mechanisms that require valid credentials before returning system status information. Organizations should also implement network segmentation to limit access to administrative endpoints and consider implementing rate limiting to prevent automated enumeration attacks against the vulnerable endpoint. Regular security assessments should be conducted to identify similar authentication bypass vulnerabilities in other system components, and organizations should ensure that all sensitive configuration data is properly protected through appropriate access controls rather than relying on network-level protections alone.