
Cloud Vulnerability DB
Eine von der Community geführte Datenbank für Schwachstellen
CVE-2026-54254 is a host validation bypass vulnerability in cyberdrop-dl-patched, a Python pip package, that causes the tool to leak a user's Pixeldrain API key to unverified third-party hosts via the Authorization HTTP header. The vulnerability affects versions >= 8.5.0 and < 9.14.0 of cyberdrop-dl-patched. It was first published by researcher NTFSvolume on June 4, 2026, and added to the GitHub Advisory Database on July 15, 2026. It carries a CVSS v4.0 base score of 6.9 (Medium) (GitHub Advisory, Security Advisory).
The root cause is improper input validation (CWE-20) combined with exposure of sensitive information to unauthorized actors (CWE-200). The Pixeldrain crawler in cyberdrop-dl-patched matches URLs to its handler using a substring check against the host field — meaning any domain containing "pixeldrain" as a substring (e.g., evil-pixeldrain.com) will match. Once matched, the tool dynamically uses the input URL's host for all subsequent API requests, including those that attach the user's API key in the Authorization header, without verifying that the host is an official Pixeldrain domain. The fix in commit 4479555 adds an exact-match check (if self.origin.host not in self.SUPPORTED_DOMAINS) before processing any Pixeldrain URL (GitHub Advisory, Fix Commit).
Successful exploitation results in the theft of the victim's Pixeldrain API key, which is transmitted in plaintext via the Authorization header to an attacker-controlled server. Users who have configured a Pixeldrain API key and process URLs from sites that can embed or redirect to external links (e.g., forums, WordPress sites, or Pixeldrain itself) are at risk. A stolen API key could allow an attacker to access or manage the victim's Pixeldrain account, including viewing private files or performing actions on their behalf. There is no impact on system integrity or availability (GitHub Advisory).
evil-pixeldrain.com) and configure it to log all incoming HTTP requests, including headers.https://evil-pixeldrain.com/u/FILEID).cyberdrop-dl-patched, such as a forum post, WordPress page, or within a Pixeldrain album that spawns external links.cyberdrop-dl-patched against the page containing the malicious URL, the tool's substring-based host matching routes the URL to the Pixeldrain crawler.https://evil-pixeldrain.com/api/... with the Authorization header containing the victim's Pixeldrain API key, which is logged by the attacker's server.cyberdrop-dl-patched to domains containing "pixeldrain" that are not official Pixeldrain domains (e.g., pixeldrain.com, pixeldrain.net); Authorization headers sent to non-official Pixeldrain endpoints.cyberdrop-dl-patched making API requests (e.g., /api/...) to unexpected hosts that contain "pixeldrain" as a substring but do not match official domains.cyberdrop-dl-patched versions >= 8.5.0 and < 9.14.0 installed in the Python environment (verifiable via pip show cyberdrop-dl-patched).Upgrade cyberdrop-dl-patched to version 9.14.0 or later, which enforces exact-match domain validation for Pixeldrain URLs, rejecting any host not in the official domain allowlist (Release 9.14.0). As an immediate precaution, any user who has configured a Pixeldrain API key with an affected version should treat that key as compromised, revoke it, and generate a new one from their Pixeldrain account settings. There is no configuration-based workaround for unpatched versions other than removing the API key from the tool's configuration (Security Advisory).
Quelle: Dieser Bericht wurde mithilfe von KI erstellt
Kostenlose Schwachstellenbewertung
Bewerten Sie Ihre Cloud-Sicherheitspraktiken in 9 Sicherheitsbereichen, um Ihr Risikoniveau zu bewerten und Lücken in Ihren Abwehrmaßnahmen zu identifizieren.
Eine personalisierte Demo anfordern
"Die beste Benutzererfahrung, die ich je gesehen habe, bietet vollständige Transparenz für Cloud-Workloads."
"„Wiz bietet eine zentrale Oberfläche, um zu sehen, was in unseren Cloud-Umgebungen vor sich geht.“ "
"„Wir wissen, dass, wenn Wiz etwas als kritisch identifiziert, es auch wirklich kritisch ist.“"