CVE-2026-29872: RCE — Patch Guide

Overview

A critical information disclosure vulnerability has been identified in the awesome-llm-apps project, specifically in a Streamlit-based GitHub MCP Agent. The flaw, tracked as CVE-2026-29872, stems from improper isolation of user sessions.

Vulnerability Details

In the affected application, user-supplied sensitive credentials-such as GitHub Personal Access Tokens or LLM API keys-are stored in the Python process’s global environment variables. Because Streamlit applications typically run multiple user sessions within a single, shared Python process, these credentials are not isolated. Any data written to os.environ becomes visible to all other users connecting to the same application instance. An attacker can simply query the environment variables from their session to retrieve another user’s tokens, requiring no authentication or special interaction.

Impact

The impact of this vulnerability is severe. Successfully exploited, it allows an unauthenticated attacker to steal:

• GitHub Personal Access Tokens, potentially leading to unauthorized access to private repositories, code theft, or even malicious commits, as seen in incidents like the GlassWorm attack force-pushing malware.
• LLM API Keys, which could be used for financial abuse, incurring substantial charges, or accessing proprietary AI models and data.

Exploitation is simple, reliable, and leaves no trace for the victim user.

Remediation and Mitigation

If you have deployed or used the affected version of the awesome-llm-apps project (commit e46690f from 2026-01-19), take these steps immediately:

1. Rotate All Exposed Credentials: Consider any API tokens or keys entered into the vulnerable application as compromised. Immediately revoke and replace all GitHub Personal Access Tokens and LLM API keys that were supplied to the app.
2. Update or Modify the Application: The root cause is the use of process-global os.environ for session data. The application code must be modified to store user session data in an isolated context, such as Streamlit’s session state (st.session_state), which is properly scoped to individual users.
3. Audit Access: Review logs for your GitHub organization and LLM API providers for any suspicious activity originating from unrecognized IP addresses or locations following the use of this tool.

Security Insight

This vulnerability highlights a recurring pattern in the rapid development of AI tooling: security best practices for multi-user applications are often overlooked. The mistake of using global process state for user data is a classic web development error, now reappearing in new AI agent frameworks. It serves as a reminder that the integration of powerful, credentialed agents into web interfaces demands the same rigorous session and secret management as any traditional enterprise application.

Further Reading

• GlassWorm Attack Force-Pushes Malware Into Python Repos via Stolen GitHub Tokens
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs