CVE-2026-50870
Description
An information disclosure vulnerability in Whoogle Search 1.2.3 exposes configured Google CSE credentials via the /config endpoint and rendered preferences.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An information disclosure vulnerability in Whoogle Search 1.2.3 exposes configured Google CSE credentials via the /config endpoint and rendered preferences.
Vulnerability
The configuration endpoint GET /config in Ben Busby Whoogle Search v1.2.3 returns the g.user_config.__dict__ object, which includes sensitive fields cse_api_key and cse_id when configured. These same credentials are also rendered into client-visible state in the index and header templates, as well as in encoded preference values used by / and /search endpoints. The WHOOGLE_CONFIG_DISABLE=1 setting blocks configuration changes but does not prevent exposure of these fields [1].
Exploitation
An unauthenticated remote attacker can trigger the disclosure by sending a crafted GET request to /config. The attacker can also visit / or /search and inspect the rendered BYOK fields or decode the preference value to obtain the credentials [1].
Impact
Successful exploitation reveals the Google Custom Search Engine API key and search engine ID configured for the Whoogle instance. An attacker can reuse these credentials outside the application, potentially consuming quota or incurring costs against the owner's Google CSE configuration [1].
Mitigation
No official fix has been released as of the publication date. Users should avoid configuring CSE credentials in Whoogle Search 1.2.3 or consider removing the instance from untrusted networks. The WHOOGLE_CONFIG_DISABLE=1 environment variable does not mitigate the exposure; a proper patch is awaited [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2= 1.2.3+ 1 more
- (no CPE)range: = 1.2.3
- (no CPE)range: =1.2.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The configuration model does not include cse_api_key and cse_id in the safe preference-key set, causing them to be exposed via the /config endpoint and client-visible state."
Attack vector
A remote attacker with no administrative capability sends a crafted GET request to `/config` on a Whoogle Search 1.2.3 instance that has non-empty `cse_api_key` and `cse_id` values configured. The JSON response exposes these credentials. The same values also appear in rendered form state on `/` and `/search` pages, and in the encoded preferences value which can be decoded [ref_id=1]. The `WHOOGLE_CONFIG_DISABLE=1` setting does not block this exposure [ref_id=1].
Affected code
The `/config` route returns `g.user_config.__dict__`, which includes `cse_api_key` and `cse_id` fields when they are present. These fields are not in the safe preference-key set, so they are exposed via the configuration endpoint and also rendered into client-visible state in index/header templates and encoded preferences values used by `/` and `/search` [ref_id=1].
What the fix does
The advisory does not include a published patch. The recommended remediation is to add `cse_api_key` and `cse_id` to the safe preference-key set so they are excluded from `g.user_config.__dict__` returned by `/config`, and to prevent these fields from being rendered in client-visible templates and encoded preference values [ref_id=1].
Preconditions
- configWhoogle Search 1.2.3 instance must have non-empty cse_api_key and cse_id values configured
- networkAttacker must be able to send HTTP GET requests to the instance
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.