CVE-2026-32810
MEDIUMHalloy has insecure file permissions on credential files
Title source: cnaDescription
Halloy is an IRC application written in Rust. In versions on \*nix and macOS prior to commit f180e41061db393acf65bc99f5c5e7397586d9cb, halloy creates its config directory and files using default umask permissions, which typically results in `0644` on files and `0755` on directories. This allows any local user on the system to read plaintext credentials stored in `config.toml` or referenced `password_file` paths. Commit f180e41061db393acf65bc99f5c5e7397586d9cb patches the issue.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/squidowl/halloy/security/advisories/GHSA-x5j2-fr4h-9p7g
X_Refsource_Misc x_refsource_misc
https://github.com/squidowl/halloy/commit/f180e41061db393acf65bc99f5c5e7397586d9cb
Scores
CVSS v3
5.5
EPSS
0.0018
EPSS Percentile
7.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-732
Status
published
Products (2)
halloy/halloy
< 2026.4
squidowl/halloy
<= 2026.4
Published
Mar 20, 2026
Tracked Since
Mar 21, 2026