CVE-2026-29872: A cross-session information disclosure vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80
Summary
A cross-session information disclosure vulnerability exists in the awesome-llm-apps project where user API tokens are stored in process-wide environment variables without proper isolation. Because Streamlit (a web framework for Python applications) runs multiple users in a single process, credentials entered by one user can be accessed by other users, allowing attackers to steal sensitive tokens like GitHub Personal Access Tokens or LLM API keys.
Vulnerability Details
8.2(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
network
low
none
none
March 30, 2026
Classification
Affected Vendors
Related Issues
CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-29872
First tracked: March 30, 2026 at 08:07 PM
Classified by LLM (prompt v3) · confidence: 92%