CVE-2026-5128

CVE-2026-5128 PUBLISHED

Assigner: TuranSec
Reserved: 30.03.2026 Published: 30.03.2026 Updated: 30.03.2026

A sensitive information exposure vulnerability exists in ArthurFiorette steam-trader 2.1.1. An unauthenticated attacker can send a request to the /users API endpoint to retrieve highly sensitive Steam account data, including the account username, password, identity secret, and shared secret. In addition, application logs expose authentication artifacts such as access tokens, refresh tokens, and session identifiers. This information allows an attacker to generate valid Steam Guard (2FA) codes, hijack authenticated sessions, and obtain full control over the affected Steam account, including unauthorized access to inventory and trading functionality. No fix is available because the repository is archived and no longer maintained.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 10

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	High	Availability	High
Privileges Required	None
User Interaction	None

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 10

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score: 10

Access Vector	Network	Confidentiality Impact	Complete
Access Complexity	Low	Integrity Impact	Complete
Authentication	None	Availability Impact	Complete

CVSS 2.0

Product Status

Vendor	ArthurFiorette
Product	steam-trader
Versions	Default: affected Version 2.1.1 is affected

Vendor

ArthurFiorette

Product

steam-trader

Versions

Default: affected

Version 2.1.1 is affected

Credits

Jamshed Yergashvoyev (CVE GUY) finder
Muhammad Usmonov (Shep) coordinator

References

Problem Types

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor CWE
CWE-532 Insertion of Sensitive Information into Log Files CWE

Impacts

Unauthenticated remote attackers can retrieve Steam account credentials, secrets, and tokens, leading to Steam Guard bypass, session hijacking, full account takeover, and theft of inventory items.