Platform
python
Component
wandb
Fixed in
1.0.1
3.5.1
CVE-2026-4994 describes an information exposure vulnerability within the wandb OpenUI component. Specifically, the genericexceptionhandler function in backend/openui/server.py allows for information disclosure through error messages when manipulating the key argument. This vulnerability, rated as low severity, impacts versions 1.0 up to 3.5-turb. Currently, there is no official patch available to address this issue.
A vulnerability has been identified in wandb OpenUI versions up to 1.0/3.5-turb. This flaw, located in the genericexceptionhandler function within the backend/openui/server.py file of the APIStatusError Handler component, allows for information exposure through error messages. An attacker can manipulate the key argument to trigger this disclosure. The vulnerability requires local network access for exploitation and, concerningly, the exploit has been publicly released, increasing the risk of attacks. The vendor's lack of response to early notification of this vulnerability further compounds the situation, leaving users without an immediate official fix.
The vulnerability lies in how the error handler genericexceptionhandler processes arguments, specifically the manipulation of the key argument. An attacker, with local network access, can send malicious requests designed to trigger the function and force the disclosure of sensitive information through generated error messages. The public availability of the exploit means attackers can easily replicate the attack, significantly increasing the risk. The vendor's lack of response hinders the accurate assessment of the vulnerability's full scope and the availability of countermeasures.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
CVSS Vector
Given the vendor's lack of a provided fix, immediate mitigation focuses on risk reduction. We strongly recommend upgrading to an OpenUI version later than 1.0/3.5-turb once available. In the meantime, restrict local network access to the OpenUI instance, limiting exploitation possibilities. Thoroughly monitor server logs for unusual error patterns to detect potential exploitation attempts. Consider implementing firewall rules to block suspicious traffic toward the OpenUI server. Continuous security posture assessment remains crucial until an official solution is available.
Actualice la biblioteca wandb a una versión posterior a 3.5-turb. Esto solucionará la vulnerabilidad de exposición de información. Consulte la documentación de wandb para obtener instrucciones sobre cómo actualizar la biblioteca.
Vulnerability analysis and critical alerts directly to your inbox.
It means the technique to exploit the vulnerability is known and available to anyone, making it easier for attackers to use.
The vendor's lack of response is concerning and hinders risk assessment and solution availability. It could be due to various factors, but communication is essential in these cases.
Implement mitigation measures such as restricting network access, monitoring logs, and considering firewall rules.
Look for unusual error patterns in server logs and monitor network activity for suspicious traffic.
Currently, there are no specific tools available to detect this vulnerability, so manual monitoring and mitigation measures are crucial.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.