CVE-2026-32810 Overview
CVE-2026-32810 is an Insecure Permissions vulnerability affecting Halloy, an IRC application written in Rust. On *nix and macOS systems, versions prior to commit f180e41061db393acf65bc99f5c5e7397586d9cb create configuration directories and files using default umask permissions, which typically results in 0644 on files and 0755 on directories. This misconfiguration allows any local user on the system to read plaintext credentials stored in config.toml or referenced password_file paths, leading to potential credential theft and unauthorized access to IRC servers.
Critical Impact
Local users can read plaintext IRC credentials from Halloy configuration files, potentially compromising user accounts and enabling unauthorized IRC server access.
Affected Products
- Halloy IRC Application (versions prior to commit f180e41061db393acf65bc99f5c5e7397586d9cb)
- *nix-based systems running Halloy
- macOS systems running Halloy
Discovery Timeline
- 2026-03-20 - CVE-2026-32810 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-32810
Vulnerability Analysis
The vulnerability stems from Halloy's failure to apply restrictive file permissions when creating its configuration directory and associated files. When a user runs Halloy for the first time, the application creates configuration files without explicitly setting secure permissions. Instead, it relies on the system's default umask, which on most Unix-like systems defaults to 022. This results in world-readable file permissions (0644) for configuration files and world-executable directory permissions (0755) for the configuration directory.
The config.toml file and any password_file paths referenced within it may contain sensitive IRC authentication credentials. With world-readable permissions, any local user with shell access to the system can read these files and extract plaintext passwords. This is particularly concerning in multi-user environments, shared hosting scenarios, or systems where multiple accounts have been compromised.
Root Cause
The root cause is CWE-732: Incorrect Permission Assignment for Critical Resource. Halloy did not implement proper file permission handling during configuration file creation, neglecting to explicitly set restrictive permissions (such as 0600 for files and 0700 for directories) to prevent unauthorized local access to sensitive credential data.
Attack Vector
This is a local attack vector requiring the attacker to have user-level access to the same system where Halloy is installed. The exploitation path involves:
- An attacker gains local access to a multi-user system running Halloy
- The attacker enumerates other users' home directories for Halloy configuration files
- Due to the permissive 0644 file permissions, the attacker reads the config.toml file
- Plaintext IRC credentials are extracted from the configuration
- The attacker uses stolen credentials to impersonate the victim on IRC servers
The vulnerability does not require special privileges beyond basic local user access, and exploitation leaves minimal forensic traces since it only involves reading files that the filesystem permissions allow.
Detection Methods for CVE-2026-32810
Indicators of Compromise
- Unexpected access attempts to ~/.config/halloy/config.toml by non-owner users
- File access logs showing reads of Halloy configuration files from unauthorized accounts
- Suspicious IRC login activity from different IP addresses using compromised credentials
- Evidence of enumeration scripts targeting user home directories for configuration files
Detection Strategies
- Monitor file access patterns using auditd rules for Halloy configuration directories
- Implement file integrity monitoring (FIM) on sensitive configuration paths
- Review IRC server authentication logs for anomalous login patterns
- Use host-based intrusion detection to identify unauthorized file access attempts
- Regularly audit file permissions on sensitive application configuration directories
Monitoring Recommendations
- Configure auditd to log all read attempts on ~/.config/halloy/ directories system-wide
- Enable SentinelOne endpoint monitoring for suspicious file enumeration activities
- Implement centralized logging for IRC authentication events to correlate with local access
- Set up alerts for multiple failed or successful IRC logins from disparate geographic locations
How to Mitigate CVE-2026-32810
Immediate Actions Required
- Update Halloy to a version containing commit f180e41061db393acf65bc99f5c5e7397586d9cb or later
- Manually fix existing configuration file permissions using chmod 600 ~/.config/halloy/config.toml
- Rotate any IRC credentials that may have been exposed in world-readable configuration files
- Audit your system for other users who may have accessed the configuration files
- Review IRC account activity for signs of unauthorized access
Patch Information
The vulnerability is patched in commit f180e41061db393acf65bc99f5c5e7397586d9cb. Users should update to a Halloy version that includes this commit. For detailed information about the security issue, refer to the GitHub Security Advisory GHSA-x5j2-fr4h-9p7g.
Workarounds
- Manually set restrictive permissions on existing configuration files and directories
- Store password files in locations with pre-existing restrictive permissions
- Use a restrictive umask (e.g., 077) before running Halloy for initial configuration
- Consider using encrypted credential storage mechanisms external to Halloy
- Limit local shell access on systems where Halloy stores sensitive credentials
# Fix permissions on existing Halloy configuration
chmod 700 ~/.config/halloy/
chmod 600 ~/.config/halloy/config.toml
chmod 600 ~/.config/halloy/password_file # if applicable
# Verify permissions are correctly set
ls -la ~/.config/halloy/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
