GHSA-wjhr-76vg-2hvc: garminconnect Has Insecure Permission Assignment for Garmin OAuth Token Store
The garminconnect Python package versions up to 0.3.4 improperly set file permissions on its OAuth token store, creating a world-readable token file on Linux/macOS systems with default umask settings. This allows any local user on a shared host to read the refresh token and gain persistent unauthorized access to the victim's Garmin Connect account. The issue is fixed in version 0.3.5 by enforcing strict owner-only permissions on the token directory and file regardless of umask.
AI Analysis
Technical Summary
The garminconnect package (≤ 0.3.4) stores OAuth tokens in a file named garmin_tokens.json without restricting file-system permissions, resulting in world-readable files under default Linux umask 022. The token file contains sensitive refresh tokens that can be used to obtain fresh access tokens from Garmin's OAuth endpoint. This vulnerability (CWE-732) allows local users on multi-user systems to steal credentials and access victim accounts. The issue is patched in version 0.3.5 by explicitly setting directory permissions to 0700 and file permissions to 0600 during token storage, independent of the system umask.
Potential Impact
Local users on a multi-user Linux or macOS system can read the garmin_tokens.json file containing the OAuth refresh token due to insecure file permissions. This enables persistent unauthorized access to the victim's Garmin Connect account, including access to health and fitness data, activity history, and device management, until the token is revoked or rotated.
Mitigation Recommendations
Upgrade garminconnect to version 0.3.5 or later, which enforces secure permissions (directory 0700, file 0600) on the token store regardless of umask. If immediate upgrade is not possible, manually restrict permissions on the token directory and file using 'chmod 700 ~/.garminconnect' and 'chmod 600 ~/.garminconnect/garmin_tokens.json'. Additionally, if the token file was exposed on a shared host, consider the refresh token compromised: delete the token store and re-authenticate to obtain a new token.
GHSA-wjhr-76vg-2hvc: garminconnect Has Insecure Permission Assignment for Garmin OAuth Token Store
Description
The garminconnect Python package versions up to 0.3.4 improperly set file permissions on its OAuth token store, creating a world-readable token file on Linux/macOS systems with default umask settings. This allows any local user on a shared host to read the refresh token and gain persistent unauthorized access to the victim's Garmin Connect account. The issue is fixed in version 0.3.5 by enforcing strict owner-only permissions on the token directory and file regardless of umask.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The garminconnect package (≤ 0.3.4) stores OAuth tokens in a file named garmin_tokens.json without restricting file-system permissions, resulting in world-readable files under default Linux umask 022. The token file contains sensitive refresh tokens that can be used to obtain fresh access tokens from Garmin's OAuth endpoint. This vulnerability (CWE-732) allows local users on multi-user systems to steal credentials and access victim accounts. The issue is patched in version 0.3.5 by explicitly setting directory permissions to 0700 and file permissions to 0600 during token storage, independent of the system umask.
Potential Impact
Local users on a multi-user Linux or macOS system can read the garmin_tokens.json file containing the OAuth refresh token due to insecure file permissions. This enables persistent unauthorized access to the victim's Garmin Connect account, including access to health and fitness data, activity history, and device management, until the token is revoked or rotated.
Mitigation Recommendations
Upgrade garminconnect to version 0.3.5 or later, which enforces secure permissions (directory 0700, file 0600) on the token store regardless of umask. If immediate upgrade is not possible, manually restrict permissions on the token directory and file using 'chmod 700 ~/.garminconnect' and 'chmod 600 ~/.garminconnect/garmin_tokens.json'. Additionally, if the token file was exposed on a shared host, consider the refresh token compromised: delete the token store and re-authenticate to obtain a new token.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-wjhr-76vg-2hvc
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-54447"]
- Ecosystems
- ["PyPI"]
- Database Specific Severity
- HIGH
- Cvss Version
- 3.1
Threat ID: 6a58b51168715ace43db3576
Added to database: 07/16/2026, 10:40:17 UTC
Last enriched: 07/16/2026, 14:25:15 UTC
Last updated: 07/16/2026, 14:25:15 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.