How is CVE-2026-10584 exploited?

Network reachability (required): The attacker must be positioned on a network path between the client and the Graph Explorer proxy in order to intercept the downgraded HTTP traffic. Authentication (not-required): No account or credential is needed; the attacker only needs to observe the unencrypted traffic on the network path. Victim interaction (not-required): No user action is required; the proxy silently falls back to HTTP on its own when certificate files are absent. Attack complexity (info): While the base exploit is condition-free once HTTP fallback is active, the CVSS vector includes an attack requirement (AT:P) noting that a specific precondition, missing certificate files on the proxy, must already be present in the target environment.

What is the impact of CVE-2026-10584?

The attacker reads the full plaintext content of HTTP requests that were intended to be encrypted, exposing any credentials, tokens, or API keys transmitted by the client. Graph query payloads and their responses are visible in transit, potentially disclosing sensitive data about the graph structure, node relationships, and stored records. Session or authorization headers passed to the Graph Explorer proxy are readable, which may allow the attacker to replay those headers against the backend API.

Back to search

HIGHCVE-2026-10584Published 2026-06-02Modified 2026-06-03CNA AMZN

CVE-2026-10584: HTTPS Fallback to HTTP in Graph Explorer

Proxy server in Graph Explorer before 3.0.1 falls back to HTTP when certificate files are missing, which might allow remote threat actors to obtain sensitive information via interception of requests intended to be sent over HTTPS. To remediate this issue, users should upgrade to Graph Explorer v3.0.1 or later.

CVSS v4.0: 8.2
Severity: HIGH
Fixed in: 3.0.1
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an insecure transport fallback vulnerability in AWS Graph Explorer. When certificate files are missing from the proxy server configuration, the proxy silently downgrades connections from HTTPS to unencrypted HTTP, making traffic readable to anyone positioned between the client and the server. A remote attacker who can intercept that traffic reads the full content of requests and responses, including sensitive data such as credentials or query results. A patched-image rebuild at version 3.0.1 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Graph Explorer. Any image running a version between 1.1.0 and 3.0.1 (exclusive) is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 8.2 (High) and is capable of weighting that score against each environment's compliance policy to adjust priority and route the alert to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild at Graph Explorer 3.0.1 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite against the updated image, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must be positioned on a network path between the client and the Graph Explorer proxy in order to intercept the downgraded HTTP traffic.
AuthenticationNot required
No account or credential is needed; the attacker only needs to observe the unencrypted traffic on the network path.
Victim interactionNot required
No user action is required; the proxy silently falls back to HTTP on its own when certificate files are absent.
Attack complexityDetail
While the base exploit is condition-free once HTTP fallback is active, the CVSS vector includes an attack requirement (AT:P) noting that a specific precondition, missing certificate files on the proxy, must already be present in the target environment.

Blast Radius

The attacker reads the full plaintext content of HTTP requests that were intended to be encrypted, exposing any credentials, tokens, or API keys transmitted by the client.
Graph query payloads and their responses are visible in transit, potentially disclosing sensitive data about the graph structure, node relationships, and stored records.
Session or authorization headers passed to the Graph Explorer proxy are readable, which may allow the attacker to replay those headers against the backend API.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE fires within minutes of ingestion for any image found running Graph Explorer versions 1.1.0 through 3.0.0. A rebuilt image at the fixed version 3.0.1 is available for affected environments. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs a regression test pass against the patched image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where auto-remediation is not enabled, the finding is queued in the team inbox with full CVSS context and a direct reference to the 3.0.1 upgrade path. As a compensating control before patching, network policy rules that restrict who can reach the Graph Explorer proxy over HTTP reduce the window of exposure if certificate files happen to be absent in a given deployment.

See how HarborGuard automates this

Fix available

3.0.1

Patch commits

github.com

Affected packages

AWS / Graph Explorer
< 3.0.1 (from 1.1.0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available