CVE-2026-5128 is a severe information exposure vulnerability found in ArthurFiorette steam-trader version 2.1.1. The flaw resides in the /users API endpoint, which improperly allows unauthenticated requests to retrieve sensitive Steam account data, including usernames, passwords, identity secrets, and shared secrets. These secrets are critical for Steam Guard two-factor authentication (2FA), meaning an attacker can generate valid 2FA codes to bypass security controls. Furthermore, the application logs contain authentication artifacts such as access tokens, refresh tokens, and session identifiers, which can be exploited to hijack authenticated sessions and gain full control over the victim’s Steam account. This includes unauthorized access to inventory and trading functionalities, potentially leading to theft or manipulation of digital assets. The vulnerability is exacerbated by the fact that the steam-trader project is archived and no longer maintained, so no official patches or fixes are available. The CVSS v4.0 score is 10.0 (critical), reflecting the vulnerability’s ease of exploitation (no authentication or user interaction required), the high impact on confidentiality, integrity, and availability, and the broad scope of affected systems. Although no known exploits are reported in the wild yet, the potential for abuse is significant given the sensitive nature of the exposed data and the value of Steam accounts.

The impact of CVE-2026-5128 is severe for organizations and individuals relying on ArthurFiorette steam-trader for managing Steam accounts and trading. Attackers can fully compromise Steam accounts, leading to unauthorized access to digital inventories, trading capabilities, and personal account information. This can result in financial loss, reputational damage, and loss of digital assets. For organizations that use this tool to manage multiple accounts or provide trading services, a breach could lead to widespread account takeovers and significant operational disruption. The exposure of authentication tokens and secrets also undermines the security of Steam Guard 2FA, effectively nullifying this critical security layer. Since no fix is available, affected users face ongoing risk until they discontinue use or migrate to alternative, secure solutions. The vulnerability also raises concerns about trust and security in third-party Steam-related applications, potentially impacting the broader gaming and digital asset trading ecosystem.

Given the absence of an official patch, mitigation requires immediate discontinuation of ArthurFiorette steam-trader version 2.1.1. Users should cease using this software to prevent exposure of sensitive credentials. Organizations must audit their use of third-party Steam management tools and remove or replace unmaintained or vulnerable software. Steam account holders should reset their passwords, revoke all active sessions and tokens, and reconfigure Steam Guard 2FA directly through official Steam channels. Monitoring account activity for unauthorized access is critical. Implement network-level controls to restrict access to any legacy steam-trader API endpoints if still operational. Consider deploying endpoint detection and response (EDR) solutions to detect suspicious activity related to Steam account access. Finally, educate users about the risks of using unmaintained third-party tools and encourage reliance on official or well-supported software.