| शीर्षक | ItzCrazyKns Vane 1.12.1 API Key Exposure |
|---|
| विवरण | Vane version 1.12.1 exposes an unauthenticated HTTP endpoint at GET /api/config that returns the application's complete configuration object, including all configured LLM provider API keys in plaintext. The endpoint performs no authentication, no authorization checks, and no field-level redaction of sensitive values before serializing the response.
Any network-adjacent or remote attacker capable of reaching the Vane service port can retrieve every API key configured in the system with a single HTTP request. This includes keys for OpenAI, Anthropic, Google Gemini, Groq, Ollama, and any other model provider configured by the operator, as well as internal infrastructure URLs that may reveal organizational network topology. |
|---|
| स्रोत | ⚠️ https://github.com/ItzCrazyKns/Vane/issues/1122 |
|---|
| उपयोगकर्ता | Yu-Bao (UID 96702) |
|---|
| सबमिशन | 26/04/2026 03:55 AM (1 महीना पहले) |
|---|
| संयम | 23/05/2026 03:49 PM (27 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 365334 [ItzCrazyKns Vane तक 1.12.1 API route.ts कमजोर प्रमाणीकरण] |
|---|
| अंक | 20 |
|---|