CVE-2026-32810

CVE-2026-32810

Name

CVE-2026-32810

Description

Halloy is an IRC application written in Rust. In versions on \*nix and macOS prior to commit f180e41061db393acf65bc99f5c5e7397586d9cb, halloy creates its config directory and files using default umask permissions, which typically results in `0644` on files and `0755` on directories. This allows any local user on the system to read plaintext credentials stored in `config.toml` or referenced `password_file` paths. Commit f180e41061db393acf65bc99f5c5e7397586d9cb patches the issue.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
security-advisories@github.com	https://github.com/squidowl/halloy/commit/f180e41061db393acf65bc99f5c5e7397586d9cb
security-advisories@github.com	https://github.com/squidowl/halloy/security/advisories/GHSA-x5j2-fr4h-9p7g

Type

URI

security-advisories@github.com

https://github.com/squidowl/halloy/commit/f180e41061db393acf65bc99f5c5e7397586d9cb

security-advisories@github.com

https://github.com/squidowl/halloy/security/advisories/GHSA-x5j2-fr4h-9p7g

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:halloy:halloy::::::::`	halloy	>= None	<= 2026.4

CPE URI

Source package

Min version

Max version

cpe:2.3:a:halloy:halloy:*:*:*:*:*:*:*:*

halloy

>= None

<= 2026.4

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
halloy	edge-community	2026.1.1-r1	DWwanghao <wanghao03@loongson.cn>	possibly vulnerable
halloy	edge-community	2026.1.1-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
halloy	edge-community	2026.1-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
halloy	edge-community	2025.12-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
halloy	edge-community	2025.11-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
halloy	edge-community	2025.9-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
halloy	edge-community	2025.8-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
halloy	edge-community	2025.7-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
halloy	edge-community	2025.6-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
halloy	edge-community	2025.5-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
halloy	edge-community	2025.4-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
halloy	edge-community	2025.3-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
halloy	edge-community	2025.2-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
halloy	edge-community	2025.1-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
halloy	edge-community	2024.14-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable
halloy	3.23-community	2025.12-r0	Celeste <cielesti@protonmail.com>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages