CVE-2026-32810

UNKNOWN 0.0

Halloy has insecure file permissions on credential files

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

1th

Halloy is an IRC application written in Rust. In versions on \*nix and macOS prior to commit f180e41061db393acf65bc99f5c5e7397586d9cb, halloy creates its config directory and files using default umask permissions, which typically results in `0644` on files and `0755` on directories. This allows any local user on the system to read plaintext credentials stored in `config.toml` or referenced `password_file` paths. Commit f180e41061db393acf65bc99f5c5e7397586d9cb patches the issue.

CWE	CWE-732
Vendor	squidowl
Product	halloy
Published	Mar 20, 2026
Last Updated	Mar 23, 2026

Stay Ahead of the Next One

Get instant alerts for squidowl halloy

Be the first to know when new unknown vulnerabilities affecting squidowl halloy are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

squidowl / halloy

<= 2026.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/squidowl/halloy/security/advisories/GHSA-x5j2-fr4h-9p7g github.com: https://github.com/squidowl/halloy/commit/f180e41061db393acf65bc99f5c5e7397586d9cb