How is CVE-2026-50870 exploited?

Network reachability (required): The vulnerable configuration endpoint is exposed over the network, so the attacker must be able to reach it via a standard HTTP request from a remote host. Authentication (not-required): No credentials or session token are needed; the crafted GET request can be sent by any unauthenticated caller. Victim interaction (not-required): The attacker sends a direct request to the endpoint and does not need any action from a user or operator of the affected service. Attack complexity (info): Attack complexity is low, meaning the exploit is straightforward and reliable with no race conditions or special environmental preconditions required.

What is the impact of CVE-2026-50870?

A successful attacker reads sensitive configuration data exposed by the whoogle-search configuration endpoint, which may include internal settings, API keys, proxy credentials, or other deployment parameters stored there. Exposed configuration values can be used to pivot further, for example by reusing credentials or understanding internal network topology revealed in the config. Confidentiality of the affected service is fully compromised; integrity and availability of the service are not directly affected by this vulnerability.

Back to search

HIGHCVE-2026-50870Published 2026-06-15Modified 2026-06-16CNA mitre

CVE-2026-50870: An information disclosure vulnerability in the configuration endpoint of Ben Busby whoogle-search v1

An information disclosure vulnerability in the configuration endpoint of Ben Busby whoogle-search v1.2.3 allows attackers to obtain sensitive information via a crafted GET request.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an information disclosure vulnerability in the configuration endpoint of Ben Busby whoogle-search v1.2.3. The flaw is reachable over the network with no authentication required, and an attacker can exploit it by sending a crafted GET request to the affected endpoint. Successful exploitation gives the attacker access to sensitive configuration information. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-50870 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle whoogle-search v1.2.3. Any image containing the affected version will surface in the scan results for that registry or pipeline.

Available

Triage

Triage is available with a CVSS v3.1 score of 7.5 (HIGH), applied against each customer environment according to its configured compliance policy weighting. Findings are routed to the appropriate team inbox within each customer organization based on those policy settings.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable configuration endpoint is exposed over the network, so the attacker must be able to reach it via a standard HTTP request from a remote host.
AuthenticationNot required
No credentials or session token are needed; the crafted GET request can be sent by any unauthenticated caller.
Victim interactionNot required
The attacker sends a direct request to the endpoint and does not need any action from a user or operator of the affected service.
Attack complexityDetail
Attack complexity is low, meaning the exploit is straightforward and reliable with no race conditions or special environmental preconditions required.

Blast Radius

A successful attacker reads sensitive configuration data exposed by the whoogle-search configuration endpoint, which may include internal settings, API keys, proxy credentials, or other deployment parameters stored there.
Exposed configuration values can be used to pivot further, for example by reusing credentials or understanding internal network topology revealed in the config.
Confidentiality of the affected service is fully compromised; integrity and availability of the service are not directly affected by this vulnerability.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-50870 is matched against images in customer registries and CI pipelines continuously as part of the standard ingest cycle. Because no upstream fix exists at this time, HarborGuard monitors the advisory on every ingest pass and will make a patched-image rebuild available the moment a fix version is published. For customers with auto-remediation enabled, that rebuild will be followed automatically by a regression test run and a PR opened against affected workloads, requiring no manual steps. In the interim, compensating controls worth considering include applying a network policy to restrict external access to the whoogle-search configuration endpoint, adding egress filtering to limit exposure of any secrets that endpoint may reveal, and auditing current deployment configurations to confirm that sensitive values are not unnecessarily stored there.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

gist.github.com

Metrics

Get notified