CVE-2026-8878: CVE-2026-8878
Version 3.0.7 of the Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensitive data. The exposed information consists of SHA-1 hashes that are inadequately obfuscated using a simple Caesar cipher, which can be easily reversed to recover the original hash values and access the protected data.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An information-disclosure vulnerability exists in the Securly Chrome Extension version 3.0.7 and earlier. The extension exposes publicly accessible endpoints that require no authentication, serving SHA-1 hashes that are obfuscated only with a Caesar cipher (a trivially reversible character-shift encoding). An attacker who reaches those endpoints over the network can reverse the obfuscation, recover the original hash values, and access the protected data they represent. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-8878 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the Securly Chrome Extension at an affected version.
AvailableHarborGuard scores this CVE at CVSS 7.5 HIGH and surfaces it accordingly within each customer environment, weighted against that environment's compliance policy. Triage findings are routed to the appropriate team inbox based on each organization's configured ownership rules.
AvailableNo fix version has been published for this CVE. HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream vendor ships a remediated release.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the exposed extension endpoints over the network; no local access or special network position is needed.
- AuthenticationNot required
The affected endpoints are publicly accessible and require no credentials or session token of any kind.
- Victim interactionNot required
No user action is needed; the attacker queries the endpoints directly without any social-engineering step.
- Attack complexityDetail
Exploitation is reliable and condition-free: the Caesar cipher reversal is deterministic and requires no race conditions or environmental prerequisites.
Blast Radius
- An attacker reads SHA-1 hash values that the extension intended to keep protected, after reversing the trivial Caesar cipher obfuscation.
- Recovered hashes can be used for offline cracking or direct lookup, exposing the underlying plaintext values they were derived from.
- No data modification or service disruption is enabled by this vulnerability; impact is limited to confidentiality of the exposed hash material.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix exists yet, HarborGuard continuously monitors the Securly advisory across ingest cycles and will surface a patched-image rebuild the moment a remediated version is published. In the interim, customers can apply compensating controls through HarborGuard network policy recommendations: isolating container workloads that bundle the affected extension behind restrictive egress and ingress rules, blocking unauthenticated external access to any endpoint served by the extension, and flagging new image builds that introduce the affected version for manual review before promotion. For customers who opt into auto-remediation, a rebuild plus regression run and PR against affected workloads will trigger automatically once a fix version is available upstream.
- Securly / Securly Chrome Extension≤ 3.0.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N