H3-2026-0036¶

Internal System Data Exposure to Unauthenticated Users

Description¶

A web application returned internal infrastructure or implementation details to an unauthenticated client in a publicly accessible response.

Impact¶

An attacker can use the disclosed information to learn internal details about the application's infrastructure and implementation. This does not by itself grant access, but it helps an attacker map the environment and tune subsequent attacks.

References¶

• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
• CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory
• CWE-540: Inclusion of Sensitive Information in Source Code
• OWASP Top Ten: Security Misconfiguration