CVE-2026-29872 is a vulnerability identified in the awesome-llm-apps project, specifically in a Streamlit-based GitHub MCP Agent implementation. The root cause is the insecure handling of user-supplied API tokens, which are stored in the process-wide environment variables (os.environ) without proper session isolation. Streamlit applications typically run multiple concurrent users within a single Python process. Because environment variables are shared across the entire process, tokens submitted by one user remain accessible to subsequent users, regardless of authentication status. This design flaw leads to cross-session information disclosure, allowing attackers to harvest sensitive credentials such as GitHub Personal Access Tokens and LLM API keys. These tokens can be used to gain unauthorized access to private repositories, cloud services, or incur financial charges by abusing API usage. The vulnerability has a CVSS 3.1 score of 8.2 (high severity), reflecting its ease of exploitation (no privileges or user interaction required) and high confidentiality impact. Although no public exploits are known yet, the vulnerability represents a significant risk for any deployment of the affected software or similar Streamlit multi-user apps that use environment variables for sensitive data. The weakness aligns with CWE-284 (Improper Access Control), CWE-200 (Information Exposure), and CWE-522 (Insufficiently Protected Credentials).

The primary impact of CVE-2026-29872 is the unauthorized disclosure of sensitive API tokens across user sessions in multi-tenant Streamlit applications. Attackers can retrieve GitHub Personal Access Tokens, enabling them to access private repositories, modify code, or exfiltrate data. Similarly, exposed LLM API keys could be abused to generate unauthorized queries, leading to financial losses or data leakage. This vulnerability compromises confidentiality severely, while integrity impact is moderate due to potential unauthorized modifications. Availability impact is minimal. The ease of exploitation without authentication or user interaction increases the risk, especially in publicly accessible deployments. Organizations relying on the affected software or similar Streamlit-based multi-user applications face risks of data breaches, intellectual property theft, and financial abuse. The vulnerability undermines trust in the application and may lead to compliance violations if sensitive data is exposed. Given the widespread use of Streamlit for rapid deployment of data science and AI applications, the scope of affected systems could be broad, particularly in organizations integrating GitHub or LLM APIs.

To mitigate CVE-2026-29872, developers should avoid storing user-supplied API tokens in process-wide environment variables. Instead, implement per-session or per-user secure storage mechanisms that isolate credentials, such as in-memory session stores or encrypted databases scoped to individual users. Refactor the application to run each user session in isolated processes or containers where environment variables are not shared. Use Streamlit's session state features or external secure vaults to manage sensitive tokens safely. Additionally, enforce strict access controls and audit logging to detect unauthorized access attempts. Regularly rotate API tokens and implement least privilege principles for token scopes. For existing deployments, immediately review and revoke any potentially exposed tokens and update the application to a patched version once available. Conduct thorough security testing focusing on multi-user session isolation in Streamlit apps. Educate developers on secure credential handling best practices to prevent similar issues.