CVE-2026-32810
Medium
Low
Medium
High
Critical
5.5
CVSS Score
Vulnerability Description
Halloy is an IRC application written in Rust. In versions on \*nix and macOS prior to commit f180e41061db393acf65bc99f5c5e7397586d9cb, halloy creates its config directory and files using default umask permissions, which typically results in `0644` on files and `0755` on directories. This allows any local user on the system to read plaintext credentials stored in `config.toml` or referenced `password_file` paths. Commit f180e41061db393acf65bc99f5c5e7397586d9cb patches the issue.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
L
Attack Complexity
L
Privileges Required
L
User Interaction
N
Scope
U
Confidentiality
H
Integrity
N
Availability
N
SUSE
CVE-2026-32810
CVE-2026-32810
Severity
Unknown
Released
Apr 16, 2026
Security Update
References & Resources
-
https://github.com/squidowl/halloy/commit/f180e41061db393acf65bc99f5c5e7397586d9cbsecurity-advisories@github.com Patch
-
https://github.com/squidowl/halloy/security/advisories/GHSA-x5j2-fr4h-9p7gsecurity-advisories@github.com Exploit Vendor Advisory
-
https://github.com/squidowl/halloy/security/advisories/GHSA-x5j2-fr4h-9p7g134c704f-9b21-4f2e-91b3-4a467353bcc0 Exploit Vendor Advisory
Severity Details
5.5
out of 10.0
Medium
Weakness Type (CWE)
CWE-732
Incorrect Permission Assignment for Critical Resource
- Description
- The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
- Exploit Likelihood
- High
- Typical Severity
- High
- Abstraction Level
- Class
Key Information
- Published Date
- March 20, 2026
