CVE-2026-63098 PUBLISHED

TheHive 4.1.24 Unauthenticated Information Disclosure via /api/status Endpoint

Assigner: VulnCheck
Reserved: 15.07.2026 Published: 17.07.2026 Updated: 17.07.2026

TheHive through 4.1.24 contains an unauthenticated information disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration data by sending a GET request to the /api/status endpoint, which lacks authentication enforcement in the StatusCtrl.scala handler. Attackers can obtain the datastore attachment protection password, configured authentication providers, SSO settings, MFA capabilities, and clustered node addresses and roles without any credentials.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6.9

Product Status

Vendor TheHive-Project
Product TheHive
Versions Default: affected
  • affected from 0 to 4.1.24 (incl.)

Credits

  • George Chen finder

References

Problem Types

  • Missing Authentication for Critical Function CWE