CVE-2026-10584 - HTTPS Fallback to HTTP in Graph Explorer
Bulletin ID: 2026-038-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 06/02/2026 12:15 PM PDT Description: Graph Explorer is an open source application that provides visualization and exploration of data in graph databases such as Amazon Neptune. We identified CVE-2026-10584 where, under certain circumstances, the server silently falls back to HTTP when HTTPS is enabled but certificates are unavailable, resulting in cleartext transmission of sensitive information. Impacted versions: >= 1.1.0 AND < 3.0.1 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
AI Analysis
Technical Summary
Graph Explorer versions >= 1.1.0 and < 3.0.1 have a vulnerability (CVE-2026-10584) where the server falls back to HTTP if HTTPS is enabled but certificates are missing or not properly generated. This fallback causes sensitive data to be transmitted without encryption. The issue is resolved in version 3.0.1. Mitigation includes upgrading to 3.0.1 or applying recommended configuration workarounds to ensure HTTPS is properly enforced and certificates are correctly generated.
Potential Impact
Sensitive information may be exposed in cleartext due to fallback from HTTPS to HTTP when certificates are unavailable, potentially allowing interception of data transmitted between clients and the Graph Explorer server. However, the impact is limited to scenarios where HTTPS is enabled but certificates are not properly configured or generated. No remote code execution or other higher severity impacts are confirmed.
Mitigation Recommendations
Upgrade Graph Explorer to version 3.0.1 or later, where this vulnerability is fixed. If immediate upgrade is not possible, verify that your deployment is serving traffic over HTTPS by checking the protocol in browsers or using tools like curl. Ensure the HOST environment variable is set correctly in docker runs to enable proper certificate generation. Avoid using non-default configuration directory paths when relying on automatic self-signed certificate generation. Follow the AWS Security Bulletin 2026-038-AWS for the latest guidance.
CVE-2026-10584 - HTTPS Fallback to HTTP in Graph Explorer
Description
Bulletin ID: 2026-038-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 06/02/2026 12:15 PM PDT Description: Graph Explorer is an open source application that provides visualization and exploration of data in graph databases such as Amazon Neptune. We identified CVE-2026-10584 where, under certain circumstances, the server silently falls back to HTTP when HTTPS is enabled but certificates are unavailable, resulting in cleartext transmission of sensitive information. Impacted versions: >= 1.1.0 AND < 3.0.1 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Graph Explorer versions >= 1.1.0 and < 3.0.1 have a vulnerability (CVE-2026-10584) where the server falls back to HTTP if HTTPS is enabled but certificates are missing or not properly generated. This fallback causes sensitive data to be transmitted without encryption. The issue is resolved in version 3.0.1. Mitigation includes upgrading to 3.0.1 or applying recommended configuration workarounds to ensure HTTPS is properly enforced and certificates are correctly generated.
Potential Impact
Sensitive information may be exposed in cleartext due to fallback from HTTPS to HTTP when certificates are unavailable, potentially allowing interception of data transmitted between clients and the Graph Explorer server. However, the impact is limited to scenarios where HTTPS is enabled but certificates are not properly configured or generated. No remote code execution or other higher severity impacts are confirmed.
Mitigation Recommendations
Upgrade Graph Explorer to version 3.0.1 or later, where this vulnerability is fixed. If immediate upgrade is not possible, verify that your deployment is serving traffic over HTTPS by checking the protocol in browsers or using tools like curl. Ensure the HOST environment variable is set correctly in docker runs to enable proper certificate generation. Avoid using non-default configuration directory paths when relying on automatic self-signed certificate generation. Follow the AWS Security Bulletin 2026-038-AWS for the latest guidance.
Technical Details
- Article Source
- {"url":"https://aws.amazon.com/security/security-bulletins/rss/2026-038-aws/","fetched":true,"fetchedAt":"2026-06-02T19:30:41.992Z","wordCount":206}
Threat ID: 6a1f2f61e29bf47b50f7464d
Added to database: 6/2/2026, 7:30:41 PM
Last enriched: 6/2/2026, 7:31:15 PM
Last updated: 6/3/2026, 4:19:38 AM
Views: 115
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.