CVE-2026-35467 PUBLISHED

Private Key stored as extractable in browser IndexeDB

Assigner: certcc
Reserved: 02.04.2026 Published: 02.04.2026 Updated: 03.04.2026

The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials.

Product Status

Vendor	CERT/CC
Product	cveClient/encrypt-storage.js
Versions	Default: unaffected affected from 0 to 1.1.15 (excl.)

Credits

Jerry Gamblin (https://github.com/jgamblin) finder

References

Github PR to fix the issue
Github Repository of the project.

Problem Types

CWE-522 Insufficiently Protected Credentials CWE