Cross-Session Information Disclosure in Awesome LLM Apps by Streamlit
CVE-2026-29872

8.2HIGH

Key Information:

Vendor: Streamlit
Status: Awesome LLM Apps
Vendor: CVE Published:; 30 March 2026

What is CVE-2026-29872?

The Awesome LLM Apps project, built on the Streamlit framework, exhibits a critical flaw that allows for cross-session information disclosure. This flaw arises due to the improper handling of user-supplied API tokens, which are stored in the process-wide environment variables without sufficient session isolation. As Streamlit serves multiple users from a single Python process, sensitive credentials, such as GitHub Personal Access Tokens or LLM API keys, can be exposed to subsequent unauthenticated users. Attackers can exploit this vulnerability to access these credentials, potentially leading to unauthorized use of private resources and financial exploitation.

References

https://github.com/lilmingwa13/security-research/blob/mai...

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 30, 2026
Vulnerability Reserved
Mar 4, 2026

CVE-2026-29872 Data

JSON