The linqi application contains hardcoded cryptographic keys (CWE-321) and uses a weak algorithm with a limited ASCII charset to dynamically generate Initialization Vectors (IVs) for AES/CBC encryption (CWE-338). These cryptographic weaknesses allow an attacker with local access to perform known-plaintext attacks to decrypt sensitive obfuscated data, such as database connection strings containing credentials from appsettings.json. The vulnerability is rated high severity with a CVSS 4.0 score of 8.5 and does not currently have an official fix or patch available. The issue affects the linqi product by linqi GmbH and is not related to a cloud service.

An attacker with local access to the affected system can exploit the hardcoded cryptographic keys and weak IV generation to decrypt sensitive information, including database credentials stored in configuration files. This could lead to unauthorized access to backend databases and potential data compromise. The vulnerability does not require user interaction and has low attack complexity but requires local privileges.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict local access to trusted users only and consider additional encryption or obfuscation methods for sensitive configuration data. Avoid deploying the affected versions in untrusted environments where local access cannot be tightly controlled.