AI Threat Alert

CVE-2026-29872

HIGH

awesome-llm-apps MCP Agent: cross-session credential theft

Published March 30, 2026
CISO Take

Any Streamlit-based AI agent in your stack that accepts user-supplied API keys may be leaking those credentials to the next person who hits the app — no authentication required. Audit all internal Streamlit deployments for use of os.environ with user-provided secrets and rotate any tokens that may have been exposed. This is a systemic pattern in the vibe-coding AI app ecosystem, not an isolated case.

Severity & Risk

CVSS 3.1
8.2 / 10
EPSS
N/A
KEV Status
Not in KEV
Sophistication
Trivial

Recommended Action

  1. IMMEDIATE — Rotate all GitHub Personal Access Tokens and LLM API keys that may have been entered into affected Streamlit deployments.
  2. PATCH — Replace os.environ usage for user-supplied credentials with Streamlit session state (st.session_state) which is isolated per user session.
  3. AUDIT — Search internal codebases for the pattern `os.environ[...] = user_input` in Streamlit apps.
  4. ARCHITECTURE — Never use process-wide state for session-scoped secrets. Use per-request credential injection or short-lived token exchange patterns.
  5. DETECT — Monitor GitHub API and LLM provider logs for anomalous usage patterns from tokens you've issued.
  6. SCOPE — This anti-pattern is pervasive in community LLM app templates; brief your development teams on session isolation requirements before deploying any Streamlit-based AI tooling.

Classification

Data Leakage Auth Bypass Privacy Violation Agent API Plugin AML.T0034 AML.T0040 AML.T0048.000 AML.T0049 AML.T0055 AML.T0083 AML.T0091.000

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
8.4 - AI System Security
NIST AI RMF
GOVERN-6.1 - Policies and procedures are in place for organizational teams that develop and deploy AI systems MANAGE-2.2 - Mechanisms to sustain the value of deployed AI systems are evaluated and applied
OWASP LLM Top 10
LLM02 - Sensitive Information Disclosure

Technical Details

NVD Description

A cross-session information disclosure vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 (2026-01-19). The affected Streamlit-based GitHub MCP Agent stores user-supplied API tokens in process-wide environment variables using os.environ without proper session isolation. Because Streamlit serves multiple concurrent users from a single Python process, credentials provided by one user remain accessible to subsequent unauthenticated users. An attacker can exploit this issue to retrieve sensitive information such as GitHub Personal Access Tokens or LLM API keys, potentially leading to unauthorized access to private resources and financial abuse.

Exploitation Scenario

An attacker identifies a shared Streamlit-based GitHub MCP Agent deployment — common in internal developer portals, AI demo environments, or shared team tooling. A legitimate user authenticates their session by entering their GitHub PAT and an LLM API key into the Streamlit UI, which the application stores via os.environ['GITHUB_TOKEN'] = token. The attacker, using a separate browser session (or even a simple HTTP client), immediately submits a benign request to the same Streamlit app. Because all sessions share the same Python process, the attacker's session code can read os.environ and retrieve the previously stored credentials. The attacker exfiltrates the GitHub PAT to clone private repositories or access secrets, and uses the stolen LLM API key to run compute-intensive workloads at the victim's expense.

Weaknesses (CWE)

CWE-200 CWE-284 CWE-522

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

References

Timeline

Published
March 30, 2026
Last Modified
March 30, 2026
First Seen
March 30, 2026
Back to Threat Feed