VYPR

CWE-526

Cleartext Storage of Sensitive Information in an Environment Variable

VariantIncomplete

Description

The product uses an environment variable to store unencrypted sensitive information.

Information stored in an environment variable can be accessible by other processes with the execution context, including child processes that dependencies are executed in, or serverless functions in cloud environments. An environment variable's contents can also be inserted into messages, headers, log files, or other outputs. Often these other dependencies have no need to use the environment variable in question. A weakness that discloses environment variables could expose this information.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (14)

  • CVE-2026-45370HigMay 14, 2026
    risk 0.50cvss 7.7epss 0.00

    python-utcp is the python implementation of UTCP. Prior to 1.1.3, _prepare_environment() in cli_communication_protocol.py passes a full copy of os.environ to every CLI subprocess. When combined with CVE-2026-45369, an attacker can exfiltrate all process-level secrets in a single…

  • CVE-2026-40153HigApr 9, 2026
    risk 0.48cvss 7.4epss 0.00

    PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the execute_command function in shell_tools.py calls os.path.expandvars() on every command argument at line 64, manually re-implementing shell-level environment variable expansion despite using shell=False (line…

  • CVE-2024-4369MedMay 1, 2024
    risk 0.44cvss 6.8epss 0.01

    An information disclosure flaw was found in OpenShift's internal image registry operator. The AZURE_CLIENT_SECRET can be exposed through an environment variable defined in the pod definition, but is limited to Azure environments. An attacker controlling an account that has high…

  • CVE-2024-12604MedMar 10, 2025
    risk 0.42cvss 6.5epss 0.00

    Cleartext Storage of Sensitive Information in an Environment Variable, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Tapandsign Technologies Tap&Sign App allows Password Recovery Exploitation, Functionality Misuse. This issue affects Tap&Sign App:…

  • CVE-2024-2700HigApr 4, 2024
    risk 0.39cvss 7.0epss 0.00

    A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment…

  • CVE-2024-47056MedMay 28, 2025
    risk 0.33cvss 5.1epss 0.00

    SummaryThis advisory addresses a security vulnerability in Mautic where sensitive .env configuration files may be directly accessible via a web browser. This exposure could lead to the disclosure of sensitive information, including database credentials, API keys, and other…

  • CVE-2025-9162MedAug 21, 2025
    risk 0.32cvss 4.9epss 0.00

    A flaw was found in org.keycloak/keycloak-model-storage-service. The KeycloakRealmImport custom resource substitutes placeholders within imported realm documents, potentially referencing environment variables. This substitution process allows for injection attacks when crafted…

  • CVE-2025-36105MedMar 10, 2026
    risk 0.29cvss 4.4epss 0.00

    IBM Planning Analytics Advanced Certified Containers 3.1.0 through 3.1.4 could allow a local privileged user to obtain sensitive information from environment variables.

  • CVE-2026-49377MedMay 29, 2026
    risk 0.28cvss 4.3epss 0.01

    In JetBrains TeamCity before 2025.11.2 exposure of sensitive data via default agent parameters

  • CVE-2024-11736MedJan 14, 2025
    risk 0.25cvss 4.9epss 0.01

    A vulnerability was found in Keycloak. Admin users may have to access sensitive server environment variables and system properties through user-configurable URLs. When configuring backchannel logout URLs or admin URLs, admin users can include placeholders like ${env.VARNAME} or…

  • CVE-2023-5720Nov 15, 2023
    risk 0.00cvss epss 0.01

    A flaw was found in Quarkus, where it does not properly sanitize artifacts created using the Gradle plugin, allowing certain build system information to remain. This flaw allows an attacker to access potentially sensitive information from the build system within the application.

  • CVE-2023-35931Jun 23, 2023
    risk 0.00cvss epss 0.01

    Shescape is a simple shell escape library for JavaScript. An attacker may be able to get read-only access to environment variables. This bug has been patched in version 1.7.1.

  • CVE-2019-14802Dec 26, 2022
    risk 0.00cvss epss 0.01

    HashiCorp Nomad 0.5.0 through 0.9.4 (fixed in 0.9.5) reveals unintended environment variables to the rendering task during template rendering, aka GHSA-6hv3-7c34-4hx8. This applies to nomad/client/allocrunner/taskrunner/template.

  • CVE-2014-2377Sep 15, 2014
    risk 0.00cvss epss 0.02

    Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.