CVE-2021-41867
Description
An information disclosure vulnerability in OnionShare 2.3 before 2.4 allows remote unauthenticated attackers to retrieve the full list of participants of a non-public OnionShare node via the --chat feature.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OnionShare 2.3 before 2.4 discloses chat participants to unauthenticated remote attackers via the --chat feature.
Vulnerability
OnionShare versions 2.3 before 2.4 are vulnerable to an information disclosure vulnerability in the --chat feature. When a non-public OnionShare node is configured with the --chat option, an unauthenticated remote attacker can retrieve the full list of participants. The issue was fixed in version 2.4 [1][3].
Exploitation
An attacker needs only network access to the Tor onion service of the victim's OnionShare instance. No authentication or user interaction is required. By sending crafted requests to the chat endpoint, the attacker can enumerate all participants connected to the non-public chat room [3].
Impact
Successful exploitation allows the attacker to learn the identities (presumably Tor onion addresses or usernames) of all participants in a supposedly private chat session. This violates the confidentiality of the chat participants and could expose the fact that certain individuals are communicating via OnionShare [1][3].
Mitigation
The vulnerability is fixed in OnionShare version 2.4 released in October 2021 [1][2]. Users should upgrade to version 2.4 or later. As a workaround, avoid using the --chat feature in non-public mode or ensure that the instance is only accessible by trusted parties via proper authentication [3]. The CVE is not listed in KEV.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
onionshare-cliPyPI | >= 2.3, < 2.4 | 2.4 |
Affected products
2- OnionShare/OnionSharedescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-6rvj-pw9w-jcvcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41867ghsaADVISORY
- github.com/onionshare/onionshare/compare/v2.3.3...v2.4ghsax_refsource_MISCWEB
- www.ihteam.net/advisory/onionshareghsaWEB
- www.ihteam.net/advisory/onionshare/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.