CVE-2026-35467 identifies a security weakness in the CERT/CC cveClient's encrypt-storage.js script, specifically related to the handling of API keys stored temporarily in the browser client environment. The vulnerability is classified under CWE-522, which pertains to insufficiently protected credentials. In this case, the API keys are stored without appropriate protection flags or encryption safeguards that would prevent access through the browser's JavaScript console or other debugging tools. This lack of protection means that an attacker who can execute JavaScript in the victim's browser context or gain access to the browser console can extract the encryption credentials used to secure these API keys. The vulnerability affects version 0 of the product and was publicly disclosed in April 2026. There are no known exploits in the wild at this time, and no CVSS score has been assigned. However, the vulnerability poses a significant risk because it compromises the confidentiality of sensitive API keys, which could be used to access backend services or APIs. The flaw does not require authentication or user interaction beyond access to the browser environment, making it easier to exploit in scenarios where an attacker has local or remote access to the client system. The absence of patch links suggests that a fix may not yet be available, emphasizing the need for immediate mitigation. This vulnerability highlights the importance of securely handling sensitive credentials in client-side storage and ensuring encryption keys themselves are protected from exposure.

The primary impact of CVE-2026-35467 is the compromise of confidentiality due to exposure of API keys stored in the browser client. If attackers extract these keys, they could gain unauthorized access to backend services, APIs, or sensitive data, potentially leading to data breaches, service disruptions, or further lateral movement within an organization's infrastructure. The integrity of systems relying on these API keys could also be undermined if attackers use the keys to perform unauthorized actions. Availability impact is less direct but could occur if attackers disrupt services using stolen credentials. Since exploitation requires access to the browser environment but no authentication or user interaction, the attack surface includes scenarios such as malicious browser extensions, cross-site scripting (XSS) attacks, or physical access to a device. Organizations worldwide that rely on CERT/CC tools and store sensitive credentials in browser clients are at risk. The lack of a patch increases the window of exposure. Overall, this vulnerability could lead to significant operational and reputational damage if exploited.

To mitigate CVE-2026-35467, organizations should immediately audit their use of the cveClient/encrypt-storage.js component and avoid storing sensitive API keys in browser client storage without proper protection. Specific recommendations include: 1) Implement secure storage mechanisms such as Web Crypto API with hardware-backed key storage or secure enclave technologies to protect encryption keys. 2) Mark stored credentials with appropriate security flags (e.g., HttpOnly, Secure) where applicable to prevent access via JavaScript. 3) Employ Content Security Policy (CSP) headers to reduce the risk of XSS attacks that could expose the browser console. 4) Restrict browser console access through enterprise policies or endpoint security controls. 5) Monitor for suspicious activity indicative of credential theft or misuse. 6) Update to patched versions once available and follow CERT/CC advisories for fixes. 7) Educate users about the risks of executing untrusted scripts or browser extensions. 8) Consider moving sensitive credential storage to server-side environments where feasible. These steps go beyond generic advice by focusing on secure client-side storage practices and reducing attack vectors specific to browser environments.