Sensitive Information Exposure in ArthurFiorette Steam-Trader by ArthurFiorette
CVE-2026-5128

10CRITICAL

Key Information:

Vendor: Arthurfiorette
Status: Steam-trader
Vendor: CVE Published:; 30 March 2026

🔔 Create Arthurfiorette Vulnerability Alert

What is CVE-2026-5128?

A vulnerability exists in the Steam-Trader application developed by ArthurFiorette, allowing unauthenticated attackers to exploit the /users API endpoint. This issue can lead to the unauthorized retrieval of sensitive Steam account data, including usernames, passwords, identity secrets, and shared secrets. Furthermore, due to inadequate logging practices, authentication logs reveal critical information such as access tokens, refresh tokens, and session identifiers. This leakage empowers attackers to forge valid Steam Guard (2FA) codes, hijack active sessions, and gain full control over compromised accounts, which includes unauthorized access to a user's inventory and trading features. Unfortunately, as the repository is archived and no longer maintained, no fixes are available for this vulnerability.

Affected Version(s)

steam-trader 2.1.1

References

https://github.com/arthurfiorette/steam-trader

CVSS V4

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 30, 2026
Vulnerability Reserved
Mar 30, 2026

Credit

Jamshed Yergashvoyev (CVE GUY)

Muhammad Usmonov (Shep)

CVE-2026-5128 Data

JSON