CVE-2026-23846 HIGH

CVE-2026-23846: Tugtainer vulnerable to Password Exposure via URL Query Parameter

Vendor Quenary
Product tugtainer
Weakness CWE-598
Published January 19, 2026
Last update January 20, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Tugtainer is a self-hosted app for automating updates of Docker containers. In versions prior to 1.16.1, the password authentication mechanism transmits passwords via URL query parameters instead of the HTTP request body. This causes passwords to be logged in server access logs and potentially exposed through browser history, Referer headers, and proxy logs. Version 1.16.1 patches the issue.

Key dates

02Disclosure timeline

January 19, 2026 CVE published
January 20, 2026 Record updated

Related vulnerabilities

04Related CVE