SB2026070765 - Cleartext transmission of sensitive information in scrapy



SB2026070765 - Cleartext transmission of sensitive information in scrapy

Published: July 7, 2026

Security Bulletin ID SB2026070765
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Cleartext transmission of sensitive information (CVE-ID: N/A)

CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information and modify transmitted data.

The vulnerability exists due to cleartext transmission of sensitive information in the S3DownloadHandler when sending signed s3 requests over plaintext http by default. A remote attacker can observe or tamper with network traffic to disclose sensitive information and modify transmitted data.

Only requests made with AWS credentials are affected, and temporary credentials may expose the X-Amz-Security-Token.


Remediation

Install update from vendor's website.