AI Threat Alert

CVE-2026-29872: awesome-llm-apps MCP Agent: cross-session credential theft

HIGH PoC AVAILABLE CISA: TRACK*
Published March 30, 2026
CISO Take

Any Streamlit-based AI agent in your stack that accepts user-supplied API keys may be leaking those credentials to the next person who hits the app — no authentication required. Audit all internal Streamlit deployments for use of os.environ with user-provided secrets and rotate any tokens that may have been exposed. This is a systemic pattern in the vibe-coding AI app ecosystem, not an isolated case.

What is the risk?

High risk. CVSS 8.2 reflects a network-accessible vulnerability requiring zero privileges and zero user interaction. The attack is trivially reproducible: an attacker simply submits a request to a shared Streamlit app after a legitimate user and reads process-level environment variables containing their credentials. The exposure is amplified in shared-hosting, internal developer tooling, and demo environments — all common deployment patterns for LLM-powered agents built on Streamlit. GitHub PATs grant repository access; stolen LLM API keys enable financial abuse via compute cost draining.

Severity & Risk

CVSS 3.1
8.2 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 27% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I Low
A None

What should I do?

6 steps

  1. IMMEDIATE — Rotate all GitHub Personal Access Tokens and LLM API keys that may have been entered into affected Streamlit deployments.

  2. PATCH — Replace os.environ usage for user-supplied credentials with Streamlit session state (st.session_state) which is isolated per user session.

  3. AUDIT — Search internal codebases for the pattern os.environ[...] = user_input in Streamlit apps.

  4. ARCHITECTURE — Never use process-wide state for session-scoped secrets. Use per-request credential injection or short-lived token exchange patterns.

  5. DETECT — Monitor GitHub API and LLM provider logs for anomalous usage patterns from tokens you've issued.

  6. SCOPE — This anti-pattern is pervasive in community LLM app templates; brief your development teams on session isolation requirements before deploying any Streamlit-based AI tooling.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Leakage Auth Bypass Privacy Violation Agent API Plugin AML.T0034 AML.T0040 AML.T0048.000 AML.T0049 AML.T0055 AML.T0083 AML.T0091.000

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
8.4 - AI System Security
NIST AI RMF
GOVERN-6.1 - Policies and procedures are in place for organizational teams that develop and deploy AI systems MANAGE-2.2 - Mechanisms to sustain the value of deployed AI systems are evaluated and applied
OWASP LLM Top 10
LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-29872?

Any Streamlit-based AI agent in your stack that accepts user-supplied API keys may be leaking those credentials to the next person who hits the app — no authentication required. Audit all internal Streamlit deployments for use of os.environ with user-provided secrets and rotate any tokens that may have been exposed. This is a systemic pattern in the vibe-coding AI app ecosystem, not an isolated case.

Is CVE-2026-29872 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-29872, increasing the risk of exploitation.

How to fix CVE-2026-29872?

1. IMMEDIATE — Rotate all GitHub Personal Access Tokens and LLM API keys that may have been entered into affected Streamlit deployments. 2. PATCH — Replace os.environ usage for user-supplied credentials with Streamlit session state (st.session_state) which is isolated per user session. 3. AUDIT — Search internal codebases for the pattern `os.environ[...] = user_input` in Streamlit apps. 4. ARCHITECTURE — Never use process-wide state for session-scoped secrets. Use per-request credential injection or short-lived token exchange patterns. 5. DETECT — Monitor GitHub API and LLM provider logs for anomalous usage patterns from tokens you've issued. 6. SCOPE — This anti-pattern is pervasive in community LLM app templates; brief your development teams on session isolation requirements before deploying any Streamlit-based AI tooling.

What systems are affected by CVE-2026-29872?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, MCP-based agents, model serving, AI developer tooling.

What is the CVSS score for CVE-2026-29872?

CVE-2026-29872 has a CVSS v3.1 base score of 8.2 (HIGH). The EPSS exploitation probability is 0.10%.

Technical Details

NVD Description

A cross-session information disclosure vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 (2026-01-19). The affected Streamlit-based GitHub MCP Agent stores user-supplied API tokens in process-wide environment variables using os.environ without proper session isolation. Because Streamlit serves multiple concurrent users from a single Python process, credentials provided by one user remain accessible to subsequent unauthenticated users. An attacker can exploit this issue to retrieve sensitive information such as GitHub Personal Access Tokens or LLM API keys, potentially leading to unauthorized access to private resources and financial abuse.

Exploitation Scenario

An attacker identifies a shared Streamlit-based GitHub MCP Agent deployment — common in internal developer portals, AI demo environments, or shared team tooling. A legitimate user authenticates their session by entering their GitHub PAT and an LLM API key into the Streamlit UI, which the application stores via os.environ['GITHUB_TOKEN'] = token. The attacker, using a separate browser session (or even a simple HTTP client), immediately submits a benign request to the same Streamlit app. Because all sessions share the same Python process, the attacker's session code can read os.environ and retrieve the previously stored credentials. The attacker exfiltrates the GitHub PAT to clone private repositories or access secrets, and uses the stolen LLM API key to run compute-intensive workloads at the victim's expense.

Weaknesses (CWE)

CWE-200 CWE-284 CWE-522

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

References

Timeline

Published
March 30, 2026
Last Modified
April 6, 2026
First Seen
March 30, 2026

Related Vulnerabilities

CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Data Leakage
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Leakage
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Auth Bypass
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Privacy Violation
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Auth Bypass
Back to Threat Feed