Overview
CVE-2026-5128 is a maximum-severity (CVSS 10.0) sensitive information exposure vulnerability affecting steam-trader version 2.1.1, an open-source library by ArthurFiorette used for Steam account trading automation. The flaw allows any unauthenticated attacker to retrieve highly sensitive Steam account credentials by sending a simple request to the /users API endpoint.
| Field | Details |
|---|---|
| CVE ID | CVE-2026-5128 |
| CVSS Score | 10.0 (Critical) |
| Affected Software | steam-trader 2.1.1 |
| Vendor | ArthurFiorette (open-source) |
| Published | 2026-03-30 |
| Attack Vector | Network |
| Authentication Required | None |
Technical Details
The vulnerability exists in steam-trader's /users API endpoint, which fails to enforce any authentication or authorization checks before returning user records. An attacker with network access to the service can issue an unauthenticated HTTP GET request and receive a full JSON response containing:
- Steam account username — the account login name
- Steam account password — plaintext or recoverable credential
- Identity secret — used for Steam Guard mobile authenticator confirmation
- Shared secret — used to generate Steam Guard TOTP codes
The exposure of both the identity secret and shared secret is particularly severe, as these values allow an attacker to fully bypass Steam's two-factor authentication and take complete control of the associated Steam account — including wallet funds, inventory items, and linked payment methods.
Impact
Applications deploying steam-trader 2.1.1 in any environment where the service is network-accessible are fully compromised. Attackers can:
- Extract all Steam account credentials without any prior access
- Bypass Steam Guard 2FA using the leaked shared and identity secrets
- Take over Steam accounts including access to digital game libraries and Steam Wallet
- Harvest trading secrets enabling fraudulent trade confirmations
Given the nature of Steam accounts — which often hold significant monetary value through games, in-game items, and wallet balances — this vulnerability poses direct financial risk to end users.
Affected Versions
| Package | Version | Status |
|---|---|---|
| steam-trader | 2.1.1 | Vulnerable |
Remediation
Users running steam-trader 2.1.1 should take the following immediate actions:
- Take the service offline or restrict network access immediately until patched
- Rotate all Steam credentials exposed by the service — change passwords and regenerate shared secrets via Steam settings
- Revoke and regenerate Steam Guard mobile authenticator secrets
- Monitor Steam accounts for unauthorized logins, trades, or purchases
- Check for patches from the upstream maintainer or consider migrating to an alternative library
If the /users endpoint cannot be removed, implement strong authentication (e.g., API key or bearer token validation) before any user data is returned.