Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-532 (通过日志文件的信息暴露) — Vulnerability Class 604

604 vulnerabilities classified as CWE-532 (通过日志文件的信息暴露). AI Chinese analysis included.

CWE-532 represents a critical information disclosure weakness where software inadvertently records sensitive data, such as passwords, credit card numbers, or personal identifiers, into log files. This vulnerability is typically exploited by attackers who gain access to these logs through insufficient file permissions, insecure storage practices, or compromised administrative accounts. Once accessed, the exposed data can be harvested for identity theft, financial fraud, or further system intrusion. To prevent this, developers must implement strict data sanitization protocols, ensuring that sensitive fields are masked or excluded before logging. Additionally, employing robust access controls and encryption for log storage, alongside regular audits of logging configurations, helps mitigate the risk of accidental exposure. By treating log files as potential repositories of confidential information, organizations can significantly reduce their attack surface and maintain compliance with data protection standards.

MITRE CWE Description
The product writes sensitive information to a log file.
Common Consequences (1)
ConfidentialityRead Application Data
Logging sensitive user data, full path names, or system information often provides attackers with an additional, less-protected path to acquiring the information.
Mitigations (4)
Architecture and Design, ImplementationConsider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.
DistributionRemove debug log files before deploying the application into production.
OperationProtect log files against unauthorized read/write.
ImplementationAdjust configurations appropriately when software is transitioned from a debug state to production.
Examples (2)
In the following code snippet, a user's full name and credit card number are written to a log file.
logger.info("Username: " + usernme + ", CCN: " + ccn);
Bad · Java
This code stores location information about the current user:
locationClient = new LocationClient(this, this, this); locationClient.connect(); currentUser.setLocation(locationClient.getLastLocation()); ... catch (Exception e) { AlertDialog.Builder builder = new AlertDialog.Builder(this); builder.setMessage("Sorry, this application has experienced an error."); AlertDialog alert = builder.create(); alert.show(); Log.e("ExampleActivity", "Caught exception: " + e + " While on User:" + User.toString()); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-42282 n8n-MCP: Sensitive MCP tool-call arguments logged on authenticated requests in HTTP mode — n8n-mcp 4.3 Medium2026-05-08
CVE-2026-41495 n8n-MCP Logs Sensitive Request Data on Unauthorized /mcp Requests — n8n-mcp 5.3 Medium2026-05-08
CVE-2026-41004 VMware Spring Cloud Config 日志信息泄露漏洞 — Spring Cloud Config 4.4 Medium2026-05-07
CVE-2024-30151 HCL BigFix Service Management (SM) is susceptible to Broken Access Control Vulnerability — BigFix Service Management (SM) 8.3 High2026-05-06
CVE-2026-7824 PaperCut Hive (Ricoh): Plain text password in logs — PaperCut Hive 6.5 -2026-05-05
CVE-2026-40945 Oxia: Bearer token exposed in debug log messages on authentication failure — oxia 7.5AIHighAI2026-04-21
CVE-2026-23775 Dell PowerProtect Data Domain(Dell PowerProtect DD) 安全漏洞 — PowerProtect Data Domain appliances 7.6 High2026-04-17
CVE-2026-34164 Valtimo: Sensitive data exposure through inbox message logging in InboxHandlingService — valtimo 4.9 Medium2026-04-16
CVE-2025-43937 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 6.6 Medium2026-04-16
CVE-2026-31987 Apache Airflow: JWT token appearing in logs — Apache Airflow 6.5AIMediumAI2026-04-16
CVE-2026-20205 Sensitive Information Disclosure in ''_internal'' index in Splunk MCP Server app — Splunk MCP Server 7.2 High2026-04-15
CVE-2026-40091 SpiceDB: SPICEDB_DATASTORE_CONN_URI is leaked on startup logs — spicedb 6.0 Medium2026-04-14
CVE-2026-0207 Sensitive Information Logging Vulnerability in FlashBlade — FlashBlade 7.5 -2026-04-14
CVE-2026-32218 Windows Kernel Information Disclosure Vulnerability — Windows 10 Version 21H2 5.5 Medium2026-04-14
CVE-2026-32217 Windows Kernel Information Disclosure Vulnerability — Windows 10 Version 1607 5.5 Medium2026-04-14
CVE-2026-32215 Windows Kernel Information Disclosure Vulnerability — Windows 10 Version 1809 5.5 Medium2026-04-14
CVE-2026-2401 Schneider Electric PowerChute Serial Shutdown 日志信息泄露漏洞 — PowerChute™ Serial Shutdown 6.5 -2026-04-14
CVE-2025-66236 Apache Airflow: Secrets from Airflow config file logged in plain text in DAG run logs UI — Apache Airflow 9.6 -2026-04-13
CVE-2026-34487 Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token — Apache Tomcat 7.5AIHighAI2026-04-09
CVE-2026-4901 Insertion of Sesitive Information into Log File in Hydrosystem Control System — Control System 5.5AIMediumAI2026-04-09
CVE-2026-28261 Dell ObjectScale和Dell Elastic Cloud Storage 日志信息泄露漏洞 — Elastic Cloud Storage 7.8 High2026-04-08
CVE-2026-4788 Multiple Vulnerabilities affect IBM Tivoli Netcool Impact — Tivoli Netcool Impact 8.4 High2026-04-08
CVE-2026-27315 Apache Cassandra: cqlsh history sensitive information leak — Apache Cassandra 6.5AIMediumAI2026-04-07
CVE-2019-25683 FileZilla 3.40.0 Denial of Service via Local Search — FileZilla 6.2 Medium2026-04-05
CVE-2026-4819 Search Guard audit logs can contain under certain conditions user credentials — Search Guard FLX 4.9 Medium2026-03-31
CVE-2026-32982 OpenClaw < 2026.3.13 - Telegram Bot Token Exposure in Media Fetch Error Logs — OpenClaw 7.5 High2026-03-31
CVE-2026-4957 OpenBMB XAgent API Key function_handler.py FunctionHandler.handle_tool_call log file — XAgent 2.7 Low2026-03-27
CVE-2024-11604 Insertion of Sensitive Information into Log File — IDM Driver and Extensions 5.5 -2026-03-27
CVE-2025-36187 Multiple Security vulnerabilities affecting IBM Knowledge Catalog Standard Cartridge — Knowledge Catalog Standard Cartridge 4.4 Medium2026-03-25
CVE-2026-32598 OneUptime: Password Reset Token Logged at INFO Level — oneuptime 8.1 -2026-03-12

Vulnerabilities classified as CWE-532 (通过日志文件的信息暴露) represent 604 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.