CVE-2021-39174

HIGH

Cachet <2.5.1 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-39174. PoCs published by n0kovo, hadrian3689.

AI-analyzed exploit summary This PoC exploits CVE-2021-39174, a configuration leak vulnerability in Cachet, by leveraging a template injection flaw in the mail settings to extract sensitive environment variables. It authenticates, manipulates mail settings, and exfiltrates values like APP_KEY and database credentials.

Description

Cachet is an open source status page system. Prior to version 2.5.1, authenticated users, regardless of their privileges (User or Admin), can leak the value of any configuration entry of the dotenv file, e.g. the application secret (`APP_KEY`) and various passwords (email, database, etc). This issue was addressed in version 2.5.1 by improving `UpdateConfigCommandHandler` and preventing the use of nested variables in the resulting dotenv configuration file. As a workaround, only allow trusted source IP addresses to access to the administration dashboard.

Exploits (2)

nomisec WORKING POC 4 stars

by n0kovo · poc

https://github.com/n0kovo/CVE-2021-39174-PoC

View Code ZIP pw:eip

This PoC exploits CVE-2021-39174, a configuration leak vulnerability in Cachet, by leveraging a template injection flaw in the mail settings to extract sensitive environment variables. It authenticates, manipulates mail settings, and exfiltrates values like APP_KEY and database credentials.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Cachet (version not specified)

Auth required

Prerequisites: Valid Cachet credentials · Access to the Cachet dashboard

MITRE ATT&CK

T1552 - Unsecured Credentials T1114 - Email Collection

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by hadrian3689 · poc

https://github.com/hadrian3689/cachet_2.4.0-dev

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2021-39174, targeting Cachet 2.4.0-dev. The exploit demonstrates both information disclosure via Twig Server Side Template Injection (SSTI) and Remote Code Execution (RCE) when an API key is provided.

Classification

Working Poc 95%

Attack Type

Rce | Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Cachet 2.4.0-dev

Auth required

Prerequisites: Valid user credentials · API key for RCE

MITRE ATT&CK

T1221 - Template Injection T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Release Notes, Third Party Advisory x_refsource_misc

https://github.com/fiveai/Cachet/releases/tag/v2.5.1

Third Party Advisory x_refsource_confirm

https://github.com/fiveai/Cachet/security/advisories/GHSA-88f9-7xxh-c688

Exploit, Third Party Advisory x_refsource_misc

https://blog.sonarsource.com/cachet-code-execution-via-laravel-configuration-injection/

Scores

CVSS v3 8.8

EPSS 0.5172

EPSS Percentile 98.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-75

Status published

Products (2)

cachethq/cachet 0 - 2.5.1Packagist

catchethq/catchet < 2.5.1

Published Aug 28, 2021

Tracked Since Feb 18, 2026