CVE-2026-29023 is a vulnerability classified under CWE-798 (Use of Hard-coded Credentials) found in KeygraphHQ’s Shannon product, specifically in version 0. The flaw arises from a hard-coded API key embedded within the router configuration. If the router component is enabled and accessible over the network, an attacker can authenticate using this known static key without requiring any privileges or user interaction. This unauthorized access enables the attacker to proxy requests through the Shannon instance, effectively using the victim’s configured upstream provider API credentials. Consequently, attackers can perform unauthorized API calls, potentially leading to abuse of API resources, data exfiltration, and exposure of sensitive request and response data passing through Shannon. The vulnerability has a CVSS 4.0 score of 6.9, reflecting a medium severity with network attack vector, low attack complexity, and no required privileges or user interaction. The scope is limited to the Shannon instance with the router component enabled and exposed. The vendor has addressed the issue in a subsequent commit (023cc95), which mitigates the general exploitability of this vulnerability. No public exploits have been reported to date, but the presence of hard-coded credentials in network-exposed components represents a significant security risk if left unpatched.

The primary impact of CVE-2026-29023 is unauthorized access to the Shannon router component, allowing attackers to proxy API requests using the victim’s upstream API credentials. This can lead to unauthorized API usage, potentially incurring financial costs, service disruptions, or triggering rate limits. Additionally, attackers may gain access to sensitive data contained in proxied requests and responses, resulting in confidentiality breaches. Organizations relying on Shannon for API routing or proxying could face data leakage, reputational damage, and compliance violations if sensitive information is exposed. The vulnerability’s ease of exploitation—requiring no privileges or user interaction—amplifies the risk, especially if the router component is exposed to untrusted networks. However, the impact is somewhat contained by the requirement that the router component be enabled and network-accessible. Overall, this vulnerability poses a moderate risk to organizations using affected versions of Shannon in exposed environments.

To mitigate CVE-2026-29023, organizations should immediately verify whether the Shannon router component is enabled and exposed to untrusted networks. If so, disable the router component until the patch or mitigation commit (023cc95) can be applied. Upgrade Shannon to the fixed version containing the mitigation as soon as it becomes available. Implement network-level access controls such as firewall rules or VPNs to restrict access to the router port to trusted hosts only. Conduct thorough audits of API usage logs to detect any anomalous or unauthorized proxy activity. Avoid embedding static or hard-coded credentials in configuration files or code; instead, use secure credential management solutions and environment variables. Regularly review and update API keys and credentials to minimize the impact of potential leaks. Finally, monitor vendor advisories for any updates or additional patches related to this vulnerability.