Vulnerability Description
Halloy is an IRC application written in Rust. In versions on \*nix and macOS prior to commit f180e41061db393acf65bc99f5c5e7397586d9cb, halloy creates its config directory and files using default umask permissions, which typically results in `0644` on files and `0755` on directories. This allows any local user on the system to read plaintext credentials stored in `config.toml` or referenced `password_file` paths. Commit f180e41061db393acf65bc99f5c5e7397586d9cb patches the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Halloy | Halloy | <= 2026.4 |
Related Weaknesses (CWE)
References
- https://github.com/squidowl/halloy/commit/f180e41061db393acf65bc99f5c5e7397586d9Patch
- https://github.com/squidowl/halloy/security/advisories/GHSA-x5j2-fr4h-9p7gExploitVendor Advisory
- https://github.com/squidowl/halloy/security/advisories/GHSA-x5j2-fr4h-9p7gExploitVendor Advisory
FAQ
What is CVE-2026-32810?
CVE-2026-32810 is a vulnerability with a CVSS score of 5.5 (MEDIUM). Halloy is an IRC application written in Rust. In versions on \*nix and macOS prior to commit f180e41061db393acf65bc99f5c5e7397586d9cb, halloy creates its config directory and files using default umask...
How severe is CVE-2026-32810?
CVE-2026-32810 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32810?
Check the references section above for vendor advisories and patch information. Affected products include: Halloy Halloy.