CVE-2026-32810 is a vulnerability classified under CWE-732 (Incorrect Permission Assignment for Critical Resource) affecting the Halloy IRC client developed by squidowl. Halloy versions on Unix-like and macOS platforms prior to commit f180e41061db393acf65bc99f5c5e7397586d9cb create configuration directories and files using default umask settings. Typically, this results in files with permissions set to 0644 and directories to 0755, which are overly permissive for sensitive configuration data. Specifically, the config.toml file and any referenced password files are created with read permissions for all local users. This allows any local user on the system to read plaintext credentials, compromising confidentiality. The vulnerability requires only local access with low privileges, no authentication or user interaction is needed. The patch commit referenced corrects the file and directory permissions to restrict access appropriately, preventing unauthorized local users from reading sensitive configuration files. No known exploits have been reported in the wild, but the risk remains significant in multi-user environments where untrusted users share the same system. The CVSS v4.0 base score is 4.8 (medium), reflecting the local attack vector and limited scope but notable confidentiality impact.

The primary impact of CVE-2026-32810 is the unauthorized disclosure of plaintext credentials stored in Halloy's configuration files. This can lead to local privilege escalation if credentials are reused or allow attackers to impersonate legitimate users on IRC networks. Organizations running Halloy on multi-user Unix-like or macOS systems are at risk of insider threats or compromised accounts if local users can access these files. While the vulnerability does not allow remote exploitation or direct code execution, the exposure of credentials can facilitate further attacks, including lateral movement or data exfiltration. The impact is particularly critical in environments where Halloy is used for sensitive communications or where local user separation is weak. The lack of user interaction and authentication requirements lowers the barrier for exploitation by any local user, increasing risk in shared systems such as servers, workstations, or development environments.

To mitigate CVE-2026-32810, organizations should immediately update Halloy to versions including or later than the commit f180e41061db393acf65bc99f5c5e7397586d9cb, which corrects the file and directory permission assignments. Until patched, administrators should manually restrict permissions on the Halloy configuration directory and files to prevent unauthorized read access, for example by setting config files to 0600 and directories to 0700. Additionally, system administrators should audit local user accounts and limit access to trusted users only, especially on multi-user systems. Employing filesystem access control lists (ACLs) or mandatory access controls (MAC) such as SELinux or AppArmor can further restrict access to sensitive files. Monitoring local access logs and using file integrity monitoring tools can help detect unauthorized access attempts. Finally, educating users about the risks of storing plaintext credentials and encouraging the use of encrypted credential storage or keyrings can reduce exposure.