CVE-2026-56783
Parseable < 2.9.2 - Cleartext Credential Exposure in Notification Target API
CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th
Parseable before 2.9.2 contains an information disclosure vulnerability in the notification-target API endpoints that returns webhook tokens and basic-auth credentials in cleartext due to commented-out secret-masking functionality. Any authenticated user with the GetAlert action, including low-privilege reader roles, can recover credentials and internal endpoint URLs for all configured notification targets by querying GET /api/v1/targets or related endpoints.
| CWE | CWE-522 |
| Vendor | parseablehq |
| Product | parseable |
| Published | Jun 29, 2026 |
Stay Ahead of the Next One
Get instant alerts for parseablehq parseable
Be the first to know when new medium vulnerabilities affecting parseablehq parseable are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
parseablehq / parseable
0 < 2.9.2
References
github.com: https://github.com/parseablehq/parseable/releases/tag/v2.9.2 github.com: https://github.com/parseablehq/parseable/issues/1693 github.com: https://github.com/parseablehq/parseable/pull/1698 github.com: https://github.com/parseablehq/parseable/commit/f307c4989cc9f3ff4204fd383dec7a39924e6b2a vulncheck.com: https://www.vulncheck.com/advisories/parseable-cleartext-credential-exposure-in-notification-target-api
Credits
George Chen