How is CVE-2026-8876 exploited?

Network reachability (required): The extension package is distributed over the network, so an attacker can retrieve and inspect it without any special network position. Authentication (not-required): No credentials or account of any kind are required to download the extension and extract the hardcoded passphrases from securly.min.js. Victim interaction (not-required): No user action is needed; the attacker operates entirely against the static extension artifact. Attack complexity (info): Exploitation is straightforward and condition-free: the passphrases are present in plaintext and require only a text search or basic JavaScript inspection to locate.

What is the impact of CVE-2026-8876?

Attacker reads the hardcoded AES passphrases from securly.min.js and decrypts the full crisis alert keyword list that the extension uses to flag student activity. Attacker decrypts the intervention site list, revealing the specific domains and URLs the extension is configured to block or monitor. Partial integrity impact: knowledge of the encryption keys and data structures opens the door to crafting inputs that bypass keyword or site-blocking logic (CVSS I:L). Partial availability impact: an attacker with this knowledge can interfere with the extension's alerting functions, potentially suppressing crisis notifications (CVSS A:L).

Back to search

HIGHCVE-2026-8876Published 2026-06-03Modified 2026-06-04CNA certcc

CVE-2026-8876: CVE-2026-8876

Version 3.0.7 of the Securly Chrome Extension contains hardcoded, plaintext AES passphrases in securly.min.js. These keys decrypt crisis alert keyword data and intervention site data.

CVSS v3.1: 7.3
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a hardcoded-credential / information-disclosure vulnerability in the Securly Chrome Extension version 3.0.7 and earlier. The extension bundles plaintext AES passphrases directly in its JavaScript file (securly.min.js), exposing the keys used to decrypt crisis alert keyword lists and intervention site data. Any attacker who obtains the extension package, which is reachable over the network without authentication, can extract those keys and decrypt the protected data. No fix version has been published; HarborGuard tracks the upstream advisory and will make a patched-image rebuild available the moment one is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle the affected extension or its dependencies. Any image layer containing the affected securly.min.js artifact is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 7.3 (HIGH) and applies per-environment compliance policy weighting to prioritize it against each customer's configured risk thresholds. Triage results are routed to the appropriate team inbox within the customer organization based on image ownership and policy rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The extension package is distributed over the network, so an attacker can retrieve and inspect it without any special network position.
AuthenticationNot required
No credentials or account of any kind are required to download the extension and extract the hardcoded passphrases from securly.min.js.
Victim interactionNot required
No user action is needed; the attacker operates entirely against the static extension artifact.
Attack complexityDetail
Exploitation is straightforward and condition-free: the passphrases are present in plaintext and require only a text search or basic JavaScript inspection to locate.

Blast Radius

Attacker reads the hardcoded AES passphrases from securly.min.js and decrypts the full crisis alert keyword list that the extension uses to flag student activity.
Attacker decrypts the intervention site list, revealing the specific domains and URLs the extension is configured to block or monitor.
Partial integrity impact: knowledge of the encryption keys and data structures opens the door to crafting inputs that bypass keyword or site-blocking logic (CVSS I:L).
Partial availability impact: an attacker with this knowledge can interfere with the extension's alerting functions, potentially suppressing crisis notifications (CVSS A:L).

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-8876, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment a remediated version is published. In the interim, compensating controls are worth applying: network policy rules can restrict which hosts are permitted to fetch or serve the extension package; egress filtering can limit where the extension phones home; and build pipelines can be configured to block promotion of any image layer containing securly.min.js at the affected version. For customers with auto-remediation enabled, the full rebuild, regression-test, and PR workflow will trigger automatically once a fix version is available upstream, with median time from CVE publication to merged patch PR for high-severity issues around 90 minutes under that configuration.

See how HarborGuard automates this

Affected packages

Securly / Securly Chrome Extension
≤ 3.0.7

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References

kb.cert.org

Metrics

Get notified