GHSA-92qf-fcph-v5wr: nextflow auth login command has incorrect default permissions
The nextflow 'auth login' command stores Seqera Platform OIDC tokens in a configuration file with overly permissive default file permissions (0644), making the token file world-readable on multi-user POSIX systems. This allows any local user who can access the victim's home directory to read the token and impersonate the victim within the token's scope. Single-user systems and headless CI runners are not affected. The issue affects versions from 25.09.2-edge through 26.04.1. A fix has been implemented to set the file permissions to 0600 immediately after writing and on every subsequent login. Users must revoke and reissue tokens after upgrading. Workarounds include manually restricting file and directory permissions or supplying the token via an environment variable.
AI Analysis
Technical Summary
The vulnerability arises because the 'nextflow auth login' command saves Seqera Platform OIDC tokens to a file named 'seqera-auth.config' without explicitly setting restrictive file permissions. Under typical POSIX default umask 022, the file is created with mode 0644, making it world-readable. On multi-user POSIX hosts, this allows any local user with access to the victim's home directory to read the token file and impersonate the victim within the token's scope. The affected versions range from 25.09.2-edge through 26.04.1. The patch sets the file permissions to 0600 immediately after writing and on every login to prevent unauthorized access. Users should revoke any tokens stored with the vulnerable permissions and re-authenticate after applying the patch. Workarounds include manually restricting permissions on the token file and its parent directory or using the TOWER_ACCESS_TOKEN environment variable instead of the login command.
Potential Impact
On multi-user POSIX systems, local users who can traverse the victim's home directory can read the Seqera Platform bearer token stored in the 'seqera-auth.config' file due to its world-readable permissions. This enables token theft and impersonation within the token's scope. Single-user systems and headless CI runners are not impacted. The confidentiality of the token is compromised, but integrity and availability are not affected.
Mitigation Recommendations
A fix is available that sets the 'seqera-auth.config' file permissions to 0600 immediately after writing and on every subsequent login, preventing unauthorized access. Users should upgrade to the patched version once released. Tokens stored with the vulnerable permissions must be considered compromised; users should run 'nextflow auth logout', revoke the token in the Seqera Platform UI, and then run 'nextflow auth login' again to obtain a new token. As a workaround, users can manually restrict permissions on the token file and its parent directory using 'chmod 600' and 'chmod 700' respectively, or supply the Platform token via the 'TOWER_ACCESS_TOKEN' environment variable instead of using the login command.
GHSA-92qf-fcph-v5wr: nextflow auth login command has incorrect default permissions
Description
The nextflow 'auth login' command stores Seqera Platform OIDC tokens in a configuration file with overly permissive default file permissions (0644), making the token file world-readable on multi-user POSIX systems. This allows any local user who can access the victim's home directory to read the token and impersonate the victim within the token's scope. Single-user systems and headless CI runners are not affected. The issue affects versions from 25.09.2-edge through 26.04.1. A fix has been implemented to set the file permissions to 0600 immediately after writing and on every subsequent login. Users must revoke and reissue tokens after upgrading. Workarounds include manually restricting file and directory permissions or supplying the token via an environment variable.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises because the 'nextflow auth login' command saves Seqera Platform OIDC tokens to a file named 'seqera-auth.config' without explicitly setting restrictive file permissions. Under typical POSIX default umask 022, the file is created with mode 0644, making it world-readable. On multi-user POSIX hosts, this allows any local user with access to the victim's home directory to read the token file and impersonate the victim within the token's scope. The affected versions range from 25.09.2-edge through 26.04.1. The patch sets the file permissions to 0600 immediately after writing and on every login to prevent unauthorized access. Users should revoke any tokens stored with the vulnerable permissions and re-authenticate after applying the patch. Workarounds include manually restricting permissions on the token file and its parent directory or using the TOWER_ACCESS_TOKEN environment variable instead of the login command.
Potential Impact
On multi-user POSIX systems, local users who can traverse the victim's home directory can read the Seqera Platform bearer token stored in the 'seqera-auth.config' file due to its world-readable permissions. This enables token theft and impersonation within the token's scope. Single-user systems and headless CI runners are not impacted. The confidentiality of the token is compromised, but integrity and availability are not affected.
Mitigation Recommendations
A fix is available that sets the 'seqera-auth.config' file permissions to 0600 immediately after writing and on every subsequent login, preventing unauthorized access. Users should upgrade to the patched version once released. Tokens stored with the vulnerable permissions must be considered compromised; users should run 'nextflow auth logout', revoke the token in the Seqera Platform UI, and then run 'nextflow auth login' again to obtain a new token. As a workaround, users can manually restrict permissions on the token file and its parent directory using 'chmod 600' and 'chmod 700' respectively, or supply the Platform token via the 'TOWER_ACCESS_TOKEN' environment variable instead of using the login command.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-92qf-fcph-v5wr
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-48722"]
- Ecosystems
- ["Maven"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 3.1
Threat ID: 6a3ef7e727e9c79719032ce8
Added to database: 06/26/2026, 22:06:31 UTC
Last enriched: 06/26/2026, 22:45:52 UTC
Last updated: 06/26/2026, 22:45:52 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.