{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0615", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-01-05T17:41:40.682Z", "datePublished": "2026-01-16T12:47:27.747Z", "dateUpdated": "2026-01-16T14:38:37.462Z"}, "containers": {"cna": {"title": "CVE-2026-0615", "descriptions": [{"lang": "en", "value": "The Librarian `supervisord` status page can be retrieved by the `web_fetch` tool, which can be used to retrieve running processes within TheLibrarian backend. The vendor has fixed the vulnerability in all affected versions."}], "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "TheLibrarian", "product": "TheLibrarian.io", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.0", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere"}]}], "references": [{"url": "http://mindgard.ai/blog/thelibrarian-ios-ai-security-"}, {"url": "https://thelibrarian.io/"}], "x_generator": {"engine": "VINCE 3.0.31", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-0615"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-01-16T12:47:27.747Z"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-16T14:38:33.181564Z", "id": "CVE-2026-0615", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T14:38:37.462Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-0615", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-16T14:38:33.181564Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T14:38:29.149Z"}}], "cna": {"title": "CVE-2026-0615", "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "TheLibrarian", "product": "TheLibrarian.io", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0"}]}], "references": [{"url": "http://mindgard.ai/blog/thelibrarian-ios-ai-security-"}, {"url": "https://thelibrarian.io/"}], "x_generator": {"env": "prod", "engine": "VINCE 3.0.31", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-0615"}, "descriptions": [{"lang": "en", "value": "The Librarian `supervisord` status page can be retrieved by the `web_fetch` tool, which can be used to retrieve running processes within TheLibrarian backend. The vendor has fixed the vulnerability in all affected versions."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-01-16T12:47:27.747Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0615", "state": "PUBLISHED", "dateUpdated": "2026-01-16T14:38:37.462Z", "dateReserved": "2026-01-05T17:41:40.682Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2026-01-16T12:47:27.747Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:thelibrarian:the_librarian:-:*:*:*:*:*:*:*", "matchCriteriaId": "EE8F0743-241A-47D8-B16A-8E3B94C6ABB8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Librarian `supervisord` status page can be retrieved by the `web_fetch` tool, which can be used to retrieve running processes within TheLibrarian backend. The vendor has fixed the vulnerability in all affected versions."}], "id": "CVE-2026-0615", "lastModified": "2026-01-23T16:59:52.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-16T13:16:11.873", "references": [{"source": "cret@cert.org", "tags": ["Third Party Advisory"], "url": "http://mindgard.ai/blog/thelibrarian-ios-ai-security-"}, {"source": "cret@cert.org", "tags": ["Product"], "url": "https://thelibrarian.io/"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T05:47:09.043965+00:00", "value": {"mitigation_remediation": ["Update TheLibrarian to the latest vendor\u2011supplied version that contains the fix for the supervisord status page exposure.", "If an immediate upgrade is not feasible, block or restrict external access to the supervisord status endpoint or disable the web_fetch tool to prevent unauthorized process disclosures.", "Continuously monitor network traffic and logs for unexpected access to the status page, and consider adding authentication or IP whitelisting to further safeguard the endpoint."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "This issue affects TheLibrarian.io\u2019s TheLibrarian service. All versions of the product are considered impacted until the vendor releases a fix. No specific version range is listed, but the vendor has confirmed a fix in all affected versions.", "description_and_impact": "The vulnerability lies in how TheLibrarian\u2019s supervisord status page can be fetched via the web_fetch tool, allowing entities that control web_fetch to enumerate running processes on the backend. This disclosure can reveal internal application state, potentially aiding further attacks or providing insight into system configuration. The weakness corresponds to inadequate protection of sensitive process information.", "risk_and_exploitability": "The CVSS base score of 7.3 indicates a high severity potential impact. Although the EPSS score is below 1%, indicating low current exploitation probability, the vulnerability remains exploitable without authentication if the web_fetch path is reachable. The vulnerability is not yet present in the CISA KEV catalog. An attacker who can send crafted requests to the status page\u2014likely through web_fetch\u2014could retrieve the process list. Mitigation requires updating to the vendor\u2019s patched release or implementing network controls to block unauthenticated access to the endpoint."}}}}, "created": "2026-01-19T09:20:54.830006+00:00", "title": "Unauthorized Process Disclosure via Supervisord Status Page", "updated": "2026-04-18T06:00:08.483705+00:00", "vendors": ["thelibrarian", "thelibrarian$PRODUCT$thelibrarian"], "weaknesses": ["CWE-200"]}