H3-2026-0035¶

Personal Information Disclosure to Unauthenticated Users

Description¶

A web application returned personally identifiable information of users to an unauthenticated client in a publicly accessible response.

Impact¶

An attacker who reads the response obtains unauthorized personal data on other users. The information could be used for extortion, targeted phishing, and possibly account takeover. If affected individuals are in the EU or EEA, this could constitute a personal data breach under the GDPR.

References¶

• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
• CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
• OWASP Top Ten: Broken Access Control