Information Disclosure in Parseable Notification-Target API Endpoints
CVE-2026-56783

7.1HIGH

Key Information:

Vendor

Parseablehq

Status
Parseable
Vendor
CVE Published:
29 June 2026

What is CVE-2026-56783?

Parseable versions prior to 2.9.2 are susceptible to an information disclosure vulnerability affecting the notification-target API endpoints. This vulnerability allows authenticated users, including those with low-privilege reader roles, to access webhook tokens and basic-auth credentials in cleartext. The issue arises from the commented-out secret-masking functionality. By querying the GET /api/v1/targets endpoint or related endpoints, attackers can recover sensitive credentials and internal endpoint URLs for all configured notification targets, posing a significant risk to system security.

Affected Version(s)

parseable 0 < 2.9.2

parseable 2.9.2

References

https://github.com/parseablehq/parseable/releases/tag/v2.9.2
release-notes
https://github.com/parseablehq/parseable/issues/1693
technical-description
https://github.com/parseablehq/parseable/pull/1698
issue-tracking

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.