CVE-2026-56783
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk18th percentile — higher than 18% of all known CVEs
Summary
Parseable before version 2.9.2 exposes webhook tokens and basic-auth credentials in cleartext via notification-target API endpoints due to commented-out secret-masking functionality. Any authenticated user with the GetAlert action, including low-privilege reader roles, can recover credentials and internal endpoint URLs for all configured notification targets.
Risk Assessment
The organization risks leakage of sensitive credentials and internal endpoint URLs, potentially allowing an attacker to compromise configured notification targets and launch further attacks on the infrastructure.
Recommendation
Immediately upgrade Parseable to version 2.9.2 or later, which restores secret masking. Additionally, rotate all webhook tokens and basic-auth passwords used in notification configurations.
Original NVD description (English source)
Parseable before 2.9.2 contains an information disclosure vulnerability in the notification-target API endpoints that returns webhook tokens and basic-auth credentials in cleartext due to commented-out secret-masking functionality. Any authenticated user with the GetAlert action, including low-privilege reader roles, can recover credentials and internal endpoint URLs for all configured notification targets by querying GET /api/v1/targets or related endpoints.

