CVE-2026-29872: awesome-llm-apps MCP Agent: cross-session credential theft
HIGH PoC AVAILABLE CISA: TRACK*Any Streamlit-based AI agent in your stack that accepts user-supplied API keys may be leaking those credentials to the next person who hits the app — no authentication required. Audit all internal Streamlit deployments for use of os.environ with user-provided secrets and rotate any tokens that may have been exposed. This is a systemic pattern in the vibe-coding AI app ecosystem, not an isolated case.
What is the risk?
High risk. CVSS 8.2 reflects a network-accessible vulnerability requiring zero privileges and zero user interaction. The attack is trivially reproducible: an attacker simply submits a request to a shared Streamlit app after a legitimate user and reads process-level environment variables containing their credentials. The exposure is amplified in shared-hosting, internal developer tooling, and demo environments — all common deployment patterns for LLM-powered agents built on Streamlit. GitHub PATs grant repository access; stolen LLM API keys enable financial abuse via compute cost draining.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
IMMEDIATE — Rotate all GitHub Personal Access Tokens and LLM API keys that may have been entered into affected Streamlit deployments.
-
PATCH — Replace os.environ usage for user-supplied credentials with Streamlit session state (st.session_state) which is isolated per user session.
-
AUDIT — Search internal codebases for the pattern
os.environ[...] = user_inputin Streamlit apps. -
ARCHITECTURE — Never use process-wide state for session-scoped secrets. Use per-request credential injection or short-lived token exchange patterns.
-
DETECT — Monitor GitHub API and LLM provider logs for anomalous usage patterns from tokens you've issued.
-
SCOPE — This anti-pattern is pervasive in community LLM app templates; brief your development teams on session isolation requirements before deploying any Streamlit-based AI tooling.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-29872?
Any Streamlit-based AI agent in your stack that accepts user-supplied API keys may be leaking those credentials to the next person who hits the app — no authentication required. Audit all internal Streamlit deployments for use of os.environ with user-provided secrets and rotate any tokens that may have been exposed. This is a systemic pattern in the vibe-coding AI app ecosystem, not an isolated case.
Is CVE-2026-29872 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2026-29872, increasing the risk of exploitation.
How to fix CVE-2026-29872?
1. IMMEDIATE — Rotate all GitHub Personal Access Tokens and LLM API keys that may have been entered into affected Streamlit deployments. 2. PATCH — Replace os.environ usage for user-supplied credentials with Streamlit session state (st.session_state) which is isolated per user session. 3. AUDIT — Search internal codebases for the pattern `os.environ[...] = user_input` in Streamlit apps. 4. ARCHITECTURE — Never use process-wide state for session-scoped secrets. Use per-request credential injection or short-lived token exchange patterns. 5. DETECT — Monitor GitHub API and LLM provider logs for anomalous usage patterns from tokens you've issued. 6. SCOPE — This anti-pattern is pervasive in community LLM app templates; brief your development teams on session isolation requirements before deploying any Streamlit-based AI tooling.
What systems are affected by CVE-2026-29872?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, MCP-based agents, model serving, AI developer tooling.
What is the CVSS score for CVE-2026-29872?
CVE-2026-29872 has a CVSS v3.1 base score of 8.2 (HIGH). The EPSS exploitation probability is 0.25%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0034 Cost Harvesting AML.T0040 AI Model Inference API Access AML.T0048.000 Financial Harm AML.T0049 Exploit Public-Facing Application AML.T0055 Unsecured Credentials AML.T0083 Credentials from AI Agent Configuration AML.T0091.000 Application Access Token Compliance Controls Affected
What are the technical details?
Original Advisory
A cross-session information disclosure vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 (2026-01-19). The affected Streamlit-based GitHub MCP Agent stores user-supplied API tokens in process-wide environment variables using os.environ without proper session isolation. Because Streamlit serves multiple concurrent users from a single Python process, credentials provided by one user remain accessible to subsequent unauthenticated users. An attacker can exploit this issue to retrieve sensitive information such as GitHub Personal Access Tokens or LLM API keys, potentially leading to unauthorized access to private resources and financial abuse.
Exploitation Scenario
An attacker identifies a shared Streamlit-based GitHub MCP Agent deployment — common in internal developer portals, AI demo environments, or shared team tooling. A legitimate user authenticates their session by entering their GitHub PAT and an LLM API key into the Streamlit UI, which the application stores via os.environ['GITHUB_TOKEN'] = token. The attacker, using a separate browser session (or even a simple HTTP client), immediately submits a benign request to the same Streamlit app. Because all sessions share the same Python process, the attacker's session code can read os.environ and retrieve the previously stored credentials. The attacker exfiltrates the GitHub PAT to clone private repositories or access secrets, and uses the stolen LLM API key to run compute-intensive workloads at the victim's expense.
Weaknesses (CWE)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor CWE-284 Improper Access Control CWE-522 Insufficiently Protected Credentials CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
- [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Timeline
Related Vulnerabilities
CVE-2025-5120 10.0 smolagents: sandbox escape enables unauthenticated RCE
Same attack type: Data Leakage CVE-2023-3765 10.0 MLflow: path traversal allows arbitrary file read
Same attack type: Data Leakage CVE-2025-2828 10.0 LangChain RequestsToolkit: SSRF exposes cloud metadata
Same attack type: Auth Bypass CVE-2025-53767 10.0 Azure OpenAI: SSRF EoP, no auth required (CVSS 10)
Same attack type: Privacy Violation CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same attack type: Auth Bypass