{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5128", "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "state": "REJECTED", "assignerShortName": "TuranSec", "dateReserved": "2026-03-30T09:09:01.638Z", "datePublished": "2026-03-30T09:18:05.381Z", "dateUpdated": "2026-03-31T12:38:28.035Z", "dateRejected": "2026-03-31T12:38:28.035Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "shortName": "TuranSec", "dateUpdated": "2026-03-31T12:38:28.035Z"}, "rejectedReasons": [{"lang": "en", "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."}]}], "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5128", "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "state": "REJECTED", "assignerShortName": "TuranSec", "dateReserved": "2026-03-30T09:09:01.638Z", "datePublished": "2026-03-30T09:18:05.381Z", "dateUpdated": "2026-03-31T12:38:28.035Z", "dateRejected": "2026-03-31T12:38:28.035Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "shortName": "TuranSec", "dateUpdated": "2026-03-31T12:38:28.035Z"}, "rejectedReasons": [{"lang": "en", "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."}]}], "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."}], "id": "CVE-2026-5128", "lastModified": "2026-03-31T13:16:13.660", "metrics": {}, "published": "2026-03-30T10:16:02.610", "references": [], "sourceIdentifier": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "vulnStatus": "Rejected"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.1.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "steam-trader", "source": "cna", "vendor": "ArthurFiorette"}, "product": "steam-trader", "vendor": "arthurfiorette"}], "analysis": {"en": {"generated_at": "2026-03-30T12:24:30.617245+00:00", "value": {"mitigation_remediation": ["Discontinue use of the archived Steam Trader application.", "Replace with a maintained trading solution or custom implementation that validates authentication before exposing API endpoints.", "Verify that no configuration allows unauthenticated API access and restrict access to trusted IP ranges if possible.", "Audit server logs for leaked tokens, session identifiers, or other authentication artifacts; revoke or rotate affected credentials.", "Regenerate all Steam account credentials, including passwords and 2FA secrets, for accounts that may have been compromised.", "Enable additional Steam account security measures, such as IP restrictions, email notifications for new sessions, and Steam Guard to detect unauthorized activity."], "summary": {"action": "Replace App", "impact": "Information exposure enabling full account takeover"}, "threat_synthesis": {"affected_systems": "ArthurFiorette\u2019s Steam Trader application, version\u202f2.1.1, is the only affected product. The project repository has been archived and no longer receives maintenance, meaning no official patch is available. Users running this version are exposed to the described vulnerability.", "description_and_impact": "The vulnerability allows any unauthenticated user to query the /users API endpoint and retrieve highly sensitive details about a Steam account, including the username, password, identity secret, and shared secret. Logs also expose authentication artifacts such as access tokens, refresh tokens, and session identifiers. Together, these disclosures enable the attacker to generate valid Steam Guard two\u2011factor codes, hijack authenticated sessions, and ultimately gain full control of the affected Steam account, including inventory and trading features. This flaw represents an information disclosure weakness (CWE\u2011200) and a log file exposure issue (CWE\u2011532).", "risk_and_exploitability": "The CVSS score of 10 indicates critical severity. Exploitation requires only sending a single unauthenticated HTTP request to the /users endpoint; no special privileges or credentials are needed. Because the repository is unmaintained and the issue is not listed in the CISA KEV catalog, the exposure remains persistent. The lack of a fix and the straightforward attack path combine to create a high\u2011risk scenario that demands immediate remedial action."}}}}, "created": "2026-03-30T20:55:59.984776+00:00", "title": "Sensitive Information Disclosure in Steam Trader Allowing Full Account Takeover", "updated": "2026-03-31T20:41:08.943920+00:00", "vendors": ["arthurfiorette", "arthurfiorette$PRODUCT$steam-trader"]}