How is CVE-2026-11347 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network-facing exposure is required to reach the vulnerable code paths. Authentication (required): Any low-privilege local account is sufficient; the attacker does not need administrative rights to read configuration files or invoke the vulnerable decryption logic. Victim interaction (not-required): No user interaction is required; the attacker operates entirely on their own without needing to social-engineer another party. Attack complexity (info): The exploit is reliable and condition-free: the hardcoded keys are static and the limited ASCII charset used for IV generation makes exhaustive recovery straightforward without depending on race conditions or memory layout.

What is the impact of CVE-2026-11347?

Reads AES-encrypted configuration strings from appsettings.json, recovering plaintext database ConnectionString values including hostnames, usernames, and passwords. Gains direct database credentials, enabling further authentication to backend data stores with whatever permissions the connection string user holds. Any data accessible to the compromised database account, including stored records, session data, and application secrets, is exposed to the attacker.

Back to search

HIGHCVE-2026-11347Published 2026-06-05Modified 2026-06-05CNA linqi

CVE-2026-11347: Hardcoded Cryptographic Keys and Weak IV Generation in Linqi Application

The linqi application contains hardcoded cryptographic keys. Additionally, the application uses a weak algorithm with a limited ASCII charset to dynamically generate Initialization Vectors (IVs) for AES/CBC encryption, making known-plaintext attacks feasible. An attacker with local access can leverage these vulnerabilities to decrypt sensitive obfuscated strings, including ConnectionString values containing database credentials from appsettings.json.

CVSS v4.0: 8.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Hardcoded cryptographic keys and weak IV generation affect the linqi application (versions up to and including 1.4.8.5). A local attacker with a low-privilege account can exploit predictable AES/CBC initialization vectors and embedded keys to perform known-plaintext attacks against encrypted configuration data. Successful exploitation gives the attacker access to database credentials stored in appsettings.json. HarborGuard tracks this advisory for patch availability and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle the linqi application or its configuration.

Available

Triage

HarborGuard scores this finding at CVSS 8.5 (High) using the v4.0 vector and weights it against each environment's compliance policy to determine urgency and routing. Findings are surfaced to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the linqi advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network-facing exposure is required to reach the vulnerable code paths.
AuthenticationRequired
Any low-privilege local account is sufficient; the attacker does not need administrative rights to read configuration files or invoke the vulnerable decryption logic.
Victim interactionNot required
No user interaction is required; the attacker operates entirely on their own without needing to social-engineer another party.
Attack complexityDetail
The exploit is reliable and condition-free: the hardcoded keys are static and the limited ASCII charset used for IV generation makes exhaustive recovery straightforward without depending on race conditions or memory layout.

Blast Radius

Reads AES-encrypted configuration strings from appsettings.json, recovering plaintext database ConnectionString values including hostnames, usernames, and passwords.
Gains direct database credentials, enabling further authentication to backend data stores with whatever permissions the connection string user holds.
Any data accessible to the compromised database account, including stored records, session data, and application secrets, is exposed to the attacker.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-11347, HarborGuard monitors the linqi advisory feed on every ingest cycle and will surface a patched-image rebuild the moment a fix version is released. In the interim, compensating controls are worth considering: network-policy isolation to restrict which principals can obtain a local shell on nodes running linqi containers, strict file-permission hardening on appsettings.json within the container image to limit read access beyond the application process, and egress filtering to prevent a compromised credential from being used to reach database endpoints from unexpected sources. Where compliance policy permits, customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads automatically once the upstream patch is available.

See how HarborGuard automates this

Affected packages

linqi GmbH / linqi
≤ 1.4.8.5

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

linqi.help

Metrics

Get notified