Home

Description

Keygraph Shannon contains a hard-coded API key in its router configuration that, when the router component is enabled and exposed, allows network attackers to authenticate using the publicly known static key. An attacker able to reach the router port can proxy requests through the Shannon instance using the victim’s configured upstream provider API credentials, resulting in unauthorized API usage and potential disclosure of proxied request and response data. This vulnerability's general exploitability has been mitigated with the introduction of commit 023cc95.

PUBLISHED Reserved 2026-03-03 | Published 2026-03-09 | Updated 2026-03-09 | Assigner VulnCheck




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

HIGH: 7.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Problem types

CWE-798 Use of Hard-coded Credentials

Product status

Default status
unknown

Any version before commit 023cc95
affected

Credits

Valentin Lobstein (Chocapikk) finder

References

github.com/KeygraphHQ/shannon/issues/186 issue-tracking

github.com/KeygraphHQ/shannon/pull/224 release-notes

github.com/...anges/023cc953db742602964b7826105278d15c28a420 mitigation

www.vulncheck.com/...graph-shannon-hard-coded-router-api-key third-party-advisory

cve.org (CVE-2026-29023)

nvd.nist.gov (CVE-2026-29023)

Download JSON