H3-2026-0033¶

Exposed Credentials in Web Response

Description¶

A web application returned authentication credentials to an unauthenticated client in a publicly accessible response. Common root causes include leaving developer or test logins enabled in production; embedding service credentials in client-side bundles; and returning credential material in error pages, configuration endpoints, or backup files reachable without authentication.

Impact¶

An attacker who reads the response can use the exposed credential directly against the application or related services, with no password cracking or prior access required. This expands the attack surface and allows unauthorized access at the privilege level associated with the credentials.

References¶

• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
• CWE-798: Use of Hard-coded Credentials
• OWASP Top Ten: Identification and Authentication Failures