Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-526 (通过环境变量导致的信息暴露) — Vulnerability Class 15

15 vulnerabilities classified as CWE-526 (通过环境变量导致的信息暴露). AI Chinese analysis included.

CWE-526 represents a critical data exposure weakness where applications store unencrypted sensitive information, such as credentials or tokens, within environment variables. This vulnerability is typically exploited by attackers who gain access to the system’s execution context, allowing them to read these variables directly. Since environment variables are often inherited by child processes, spawned dependencies, or cloud-based serverless functions, the data becomes accessible to multiple components that may not require such privileged access. Additionally, these values can inadvertently leak into logs, headers, or diagnostic messages. To mitigate this risk, developers must avoid placing secrets in environment variables entirely. Instead, they should utilize dedicated, encrypted secret management solutions or hardware security modules that ensure sensitive data remains protected at rest and in transit, limiting access strictly to authorized processes.

MITRE CWE Description
The product uses an environment variable to store unencrypted sensitive information. Information stored in an environment variable can be accessible by other processes with the execution context, including child processes that dependencies are executed in, or serverless functions in cloud environments. An environment variable's contents can also be inserted into messages, headers, log files, or other outputs. Often these other dependencies have no need to use the environment variable in question. A weakness that discloses environment variables could expose this information.
Common Consequences (1)
ConfidentialityRead Application Data
Mitigations (2)
Architecture and DesignEncrypt information stored in the environment variable to protect it from being exposed to an unauthorized user. If encryption is not feasible or is considered too expensive for the business use of the application, then consider using a properly protected configuration file instead of an environment variable. It should be understood that unencrypted information in a config file is also not guarant…
ImplementationIf the environment variable is not necessary for the desired behavior, then remove it entirely, or clear it to an empty value.
CVE IDTitleCVSSSeverityPublished
CVE-2026-40153 PraisonAIAgents Affected by Environment Variable Secret Exfiltration via os.path.expandvars() Bypassing shell=False in Shell Tool — PraisonAIAgents 7.4 High2026-04-09
CVE-2025-36105 IBM Planning Analytics Advanced Certified Containers is vulnerable to a sensitive information disclosure vulnerability — Planning Analytics Advanced Certified Containers 4.4 Medium2026-03-10
CVE-2025-27899 Multiple vulnerabilities in IBM Java SDK affecting Db2 Recovery Expert for Linux, Unix and Windows — DB2 Recovery Expert for LUW 5.3 Medium2026-02-17
CVE-2025-36017 IBM Controller Information Disclosure — Controller 6.5 Medium2025-12-08
CVE-2025-9162 Org.keycloak/keycloak-model-storage-service: variable injection into environment variables — keycloak 4.9 Medium2025-08-21
CVE-2023-43029 IBM Storage Virtualize vSphere Remote Plug-in information disclosure — Storage Virtualize vSphere Remote Plug-in 6.8 Medium2025-03-21
CVE-2024-12604 Improper Authentication in Tapandsign Technologies Tap and Sign App — Tap&Sign App 6.5 Medium2025-03-10
CVE-2025-0985 IBM MQ information disclosure — MQ 5.5 Medium2025-02-28
CVE-2024-11736 Org.keycloak:keycloak-quarkus-server: unrestricted admin use of system and environment variables 4.9 Medium2025-01-14
CVE-2024-4369 Cluster-image-registry-operator: exposes a secret via env variable in pod definition on azure 6.8 Medium2024-04-30
CVE-2024-2700 Quarkus-core: leak of local configuration properties into quarkus applications 7.0 High2024-04-04
CVE-2023-5720 Quarkus: build env information disclosure via gradle plugin — gradle-plugin 7.7 High2023-11-15
CVE-2023-47615 Telit Cinterion BGS5 安全漏洞 — BGS5 3.3 Low2023-11-09
CVE-2023-35931 Shescape potential environment variable exposure on Windows with CMD — shescape 3.1 Low2023-06-23
CVE-2014-2377 Ecava IntegraXor SCADA Server Information Exposure Through Environmental Variables — IntegraXor SCADA Server 5.3 -2014-09-15

Vulnerabilities classified as CWE-526 (通过环境变量导致的信息暴露) represent 15 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.