Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1814+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-5128: Steam Trader 2.1.1 Unauthenticated Sensitive
CVE-2026-5128: Steam Trader 2.1.1 Unauthenticated Sensitive

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-5128

CVE-2026-5128: Steam Trader 2.1.1 Unauthenticated Sensitive

A CVSS 10.0 critical vulnerability in steam-trader 2.1.1 exposes Steam account credentials, identity secrets, and shared secrets to unauthenticated remote...

Dylan H.

Security Team

March 30, 2026
3 min read

Affected Products

  • ArthurFiorette/steam-trader 2.1.1

Overview

CVE-2026-5128 is a maximum-severity (CVSS 10.0) sensitive information exposure vulnerability affecting steam-trader version 2.1.1, an open-source library by ArthurFiorette used for Steam account trading automation. The flaw allows any unauthenticated attacker to retrieve highly sensitive Steam account credentials by sending a simple request to the /users API endpoint.

FieldDetails
CVE IDCVE-2026-5128
CVSS Score10.0 (Critical)
Affected Softwaresteam-trader 2.1.1
VendorArthurFiorette (open-source)
Published2026-03-30
Attack VectorNetwork
Authentication RequiredNone

Technical Details

The vulnerability exists in steam-trader's /users API endpoint, which fails to enforce any authentication or authorization checks before returning user records. An attacker with network access to the service can issue an unauthenticated HTTP GET request and receive a full JSON response containing:

  • Steam account username — the account login name
  • Steam account password — plaintext or recoverable credential
  • Identity secret — used for Steam Guard mobile authenticator confirmation
  • Shared secret — used to generate Steam Guard TOTP codes

The exposure of both the identity secret and shared secret is particularly severe, as these values allow an attacker to fully bypass Steam's two-factor authentication and take complete control of the associated Steam account — including wallet funds, inventory items, and linked payment methods.

Impact

Applications deploying steam-trader 2.1.1 in any environment where the service is network-accessible are fully compromised. Attackers can:

  1. Extract all Steam account credentials without any prior access
  2. Bypass Steam Guard 2FA using the leaked shared and identity secrets
  3. Take over Steam accounts including access to digital game libraries and Steam Wallet
  4. Harvest trading secrets enabling fraudulent trade confirmations

Given the nature of Steam accounts — which often hold significant monetary value through games, in-game items, and wallet balances — this vulnerability poses direct financial risk to end users.

Affected Versions

PackageVersionStatus
steam-trader2.1.1Vulnerable

Remediation

Users running steam-trader 2.1.1 should take the following immediate actions:

  1. Take the service offline or restrict network access immediately until patched
  2. Rotate all Steam credentials exposed by the service — change passwords and regenerate shared secrets via Steam settings
  3. Revoke and regenerate Steam Guard mobile authenticator secrets
  4. Monitor Steam accounts for unauthorized logins, trades, or purchases
  5. Check for patches from the upstream maintainer or consider migrating to an alternative library

If the /users endpoint cannot be removed, implement strong authentication (e.g., API key or bearer token validation) before any user data is returned.

References

  • NVD Entry: CVE-2026-5128
  • GitHub: ArthurFiorette/steam-trader
#CVE#Vulnerability#Steam#API Security#Information Disclosure

Related Articles

CVE-2026-33669: SiYuan Unauthenticated Document Content

A critical unauthenticated information disclosure vulnerability in SiYuan, the personal knowledge management system, allows remote attackers to retrieve...

4 min read

CVE-2025-47813: Wing FTP Server Path Disclosure Enables RCE

CISA has added CVE-2025-47813, a medium-severity information disclosure flaw in Wing FTP Server, to its KEV catalog after confirming active exploitation...

5 min read

CVE-2026-35210: OpenCTI Authorization Bypass Allows Confidence Level and Object Marking Circumvention

An authentication bypass vulnerability in OpenCTI prior to 7.260326.0 allows any authenticated user with KNOWLEDGE_KNUPDATE permission to bypass Confidence Level validation and Object Marking restrictions, potentially escalating access to sensitive threat intelligence data.

3 min read
Back to all Security Alerts