Platform
python
Component
wandb
Fixed in
0.0.1
1.0.1
CVE-2026-4993 affects wandb OpenUI versions from 0.0.0 to 1.0. This vulnerability involves the manipulation of the LITELLMMASTERKEY argument within the backend/openui/config.py file, resulting in the exposure of hardcoded credentials. The vulnerability requires local access to exploit and a public proof-of-concept is available, highlighting the potential for immediate misuse.
The primary impact of CVE-2026-4993 is the exposure of hardcoded credentials within the wandb OpenUI. An attacker with local access can manipulate the LITELLMMASTERKEY argument to gain unauthorized access to sensitive information or systems protected by these credentials. This could lead to data breaches, privilege escalation, and potentially broader compromise of the environment where wandb OpenUI is deployed. The availability of a public exploit significantly increases the risk of exploitation.
CVE-2026-4993 has been publicly disclosed and a proof-of-concept exploit is available, indicating a high probability of exploitation. The vendor was contacted but did not respond, which increases the urgency of mitigation. The vulnerability is not currently listed on CISA KEV as of the provided publication date. The exploit requires local access, limiting the scope of potential attacks but still posing a significant risk in environments with compromised local accounts.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-4993 is to upgrade to a patched version of wandb OpenUI. Since a fixed version is not specified in the provided data, carefully review the wandb project's release notes for updates addressing this vulnerability. As a temporary workaround, restrict local access to the backend/openui/config.py file to prevent unauthorized modification of the LITELLMMASTERKEY argument. After upgrading, verify the absence of the hardcoded credentials by inspecting the configuration file and testing access controls.
Update the wandb library to a version later than 1.0 to fix the hard-coded credentials vulnerability. This will prevent local attackers from exploiting the vulnerable configuration.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4993 is a vulnerability in wandb OpenUI versions 0.0.0–1.0 where manipulating the LITELLMMASTERKEY argument exposes hardcoded credentials, requiring local access.
You are affected if you are using wandb OpenUI versions between 0.0.0 and 1.0 and have not upgraded to a patched version. Local access is required for exploitation.
Upgrade to a patched version of wandb OpenUI. Review the project's release notes for updates addressing this vulnerability. Restrict local access to the configuration file as a temporary workaround.
A public exploit exists, indicating a high probability of active exploitation. The vulnerability's severity is LOW.
Due to the vendor's lack of response, an official advisory may not be available. Monitor the wandb project's release notes and security announcements for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.