CVE-2026-5128

CVE-2026-5128 is a sensitive information exposure vulnerability (CWE-200, CWE-532) affecting ArthurFiorette's steam-trader version 2.1.1, an application interacting with Steam accounts for trading functionality. The flaw allows unauthenticated access to highly sensitive data via the /users API endpoint, including Steam account usernames, passwords, identity secrets, and shared secrets. Additionally, application logs disclose authentication artifacts such as access tokens, refresh tokens, and session identifiers.

An unauthenticated attacker can exploit this vulnerability remotely with low complexity by sending a request to the exposed /users endpoint, retrieving the sensitive Steam credentials without any privileges or user interaction. With this data, the attacker can generate valid Steam Guard (2FA) codes, hijack authenticated sessions, and gain full control over the victim's Steam account, enabling unauthorized access to inventory and trading features.

No patches or fixes are available, as the project's GitHub repository (https://github.com/arthurfiorette/steam-trader) is archived and no longer maintained, leaving users without official mitigation options.