Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-wjhr-76vg-2hvc: garminconnect Has Insecure Permission Assignment for Garmin OAuth Token Store

0
High
Published: 07/15/2026 (07/15/2026, 17:33:00 UTC)
Source: GCVE Database
Product: garminconnect

Description

The garminconnect Python package versions up to 0.3.4 improperly set file permissions on its OAuth token store, creating a world-readable token file on Linux/macOS systems with default umask settings. This allows any local user on a shared host to read the refresh token and gain persistent unauthorized access to the victim's Garmin Connect account. The issue is fixed in version 0.3.5 by enforcing strict owner-only permissions on the token directory and file regardless of umask.

CVSS v3.1

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Affected software

PyPIghsa
garminconnect
Affected versions
<0.3.5

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/16/2026, 14:25:15 UTC

Technical Analysis

The garminconnect package (≤ 0.3.4) stores OAuth tokens in a file named garmin_tokens.json without restricting file-system permissions, resulting in world-readable files under default Linux umask 022. The token file contains sensitive refresh tokens that can be used to obtain fresh access tokens from Garmin's OAuth endpoint. This vulnerability (CWE-732) allows local users on multi-user systems to steal credentials and access victim accounts. The issue is patched in version 0.3.5 by explicitly setting directory permissions to 0700 and file permissions to 0600 during token storage, independent of the system umask.

Potential Impact

Local users on a multi-user Linux or macOS system can read the garmin_tokens.json file containing the OAuth refresh token due to insecure file permissions. This enables persistent unauthorized access to the victim's Garmin Connect account, including access to health and fitness data, activity history, and device management, until the token is revoked or rotated.

Mitigation Recommendations

Upgrade garminconnect to version 0.3.5 or later, which enforces secure permissions (directory 0700, file 0600) on the token store regardless of umask. If immediate upgrade is not possible, manually restrict permissions on the token directory and file using 'chmod 700 ~/.garminconnect' and 'chmod 600 ~/.garminconnect/garmin_tokens.json'. Additionally, if the token file was exposed on a shared host, consider the refresh token compromised: delete the token store and re-authenticate to obtain a new token.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-wjhr-76vg-2hvc
Osv Schema Version
1.4.0
Aliases
["CVE-2026-54447"]
Ecosystems
["PyPI"]
Database Specific Severity
HIGH
Cvss Version
3.1

Threat ID: 6a58b51168715ace43db3576

Added to database: 07/16/2026, 10:40:17 UTC

Last enriched: 07/16/2026, 14:25:15 UTC

Last updated: 07/16/2026, 14:25:15 UTC

Views: 3

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses