CVE-2026-48790

MEDIUMPre-NVD 5.55.5
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 5.5 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
5.5
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: CVSS: 5.5Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

turso-cli persists Turso platform JWT with world-readable (0o644) file permissions

Summary

turso-cli persists the user's Turso platform JWT to settings.json using Viper's default configPermissions of 0o644, leaving the credential file world-readable on standard Linux and macOS systems. Any other local UID on the host can read the file and recover the platform JWT, which grants full Turso platform access scoped to the user's organizations.

Impact

The token in settings.json grants the holder full Turso platform access — create or destroy databases, rotate credentials, exfiltrate data, change billing settings — for any organization the user belongs to.

Because the file is world-readable, the credential is reachable by:

  • Cron jobs or daemons running as a different system user on the same host
  • Sandboxed CI runners with a mounted home directory
  • Containers with a bind-mounted host home
  • Co-tenants on a shared multi-user developer or jumpbox host

The file path resolves through configdir.LocalConfig("turso"):

  • macOS: ~/Library/Application Support/turso/settings.json
  • Linux: ~/.config/turso/settings.json (or $XDG_CONFIG_HOME/turso/settings.json)

It contains the platform JWT in plaintext JSON alongside organization and username fields.

Comparable CLIs (gh, aws, docker, gcloud, plus close peers planetscale, neon, upstash) write credential files at 0o600 explicitly, so this is a deviation from the cross-vendor baseline rather than a deliberate trade-off.

Details

The OAuth callback handler stores the platform JWT via the settings layer:

// internal/cmd/auth.go:205-214
jwt, err := callbackServer.Result()
...
settings.SetToken(jwt)

SetToken writes through Viper:

// internal/settings/settings.go:124-127
func (s *Settings) SetToken(token string) {
    viper.Set("token", token)
    s.changed = true
}

Persistence runs through viper.WriteConfig:

// internal/settings/settings.go:96-101
func TryToPersistChanges() error {
    if err := viper.WriteConfig(); err != nil {
        return fmt.Errorf("failed to persist turso settings file: %w", err)
    }
    return nil
}

Viper v1.21.0 (pinned in turso-cli go.mod) initializes configPermissions to os.FileMode(0o644) at viper.go:198 and passes that mode straight to os.OpenFile at viper.go:1688. Without a call to viper.SetConfigPermissions(0o600), the resulting settings.json is created at 0o644.

A grep over the auth-config write path under internal/ returns zero hits for Chmod, 0o600, or 0600, confirming there is no follow-up tightening of the file mode anywhere on the persistence path.

Proof of concept

Minimal reproducer using the same Viper version turso-cli pins (github.com/spf13/viper v1.21.0):

package main

import ( "fmt" "os" "path/filepath"

"github.com/spf13/viper" )

func main() { dir, _ := os.MkdirTemp("", "viperpoc-*") defer os.RemoveAll(dir)

viper.SetConfigName("settings") viper.SetConfigType("json") viper.AddConfigPath(dir)

viper.Set("token", "FAKE_TURSO_JWT_xxxxxxxxxxxxxxxxxxxx") viper.Set("organization", "exampleorg") viper.SafeWriteConfig()

st, _ := os.Stat(filepath.Join(dir, "settings.json")) fmt.Printf("mode: %o\n", st.Mode()&0o777) }

$ go run main.go mode: 644

The same SafeWriteConfig / WriteConfig calls turso-cli uses produce the same 0o644 mode in a real turso auth login flow.

Remediation

One-line fix at the existing Viper configuration site in internal/settings/settings.go (around lines 48-50):

viper.SetConfigName("settings")
viper.SetConfigType("json")
viper.AddConfigPath(configPath)
viper.SetConfigPermissions(0o600) // restrict settings.json to owner only

Defense in depth:

  • Add os.Chmod(configFile, 0o600) after TryToPersistChanges, or on read (as PlanetScale does in internal/config/config.go — they Stat the token file and self-heal if Mode() &^ 0o600 is nonzero). viper.SetConfigPermissions applies only on file creation, so an existing wider-mode file is not tightened otherwise.
  • Add os.Chmod(configPath, 0o700) after configdir.MakePath(configPath) (line 43) to close the equivalent gap on the enclosing directory, which is otherwise created under the default umask.

Patch: https://github.com/tursodatabase/turso-cli/commit/ffb914849216ef5a86353b3fa6cee66f33af3b66

Workarounds

Until upgraded, users can tighten the existing files manually:

# Linux
chmod 600 ~/.config/turso/settings.json
chmod 700 ~/.config/turso

macOS

chmod 600 "$HOME/Library/Application Support/turso/settings.json" chmod 700 "$HOME/Library/Application Support/turso"

This must be repeated after any operation that recreates the file (e.g. turso auth login) until the patched version is installed.

Resources

  • Patch commit: https://github.com/tursodatabase/turso-cli/commit/ffb914849216ef5a86353b3fa6cee66f33af3b66
  • Viper configPermissions default: https://github.com/spf13/viper/blob/v1.21.0/viper.go#L198
  • Viper write path: https://github.com/spf13/viper/blob/v1.21.0/viper.go#L1688
  • CWE-276: https://cwe.mitre.org/data/definitions/276.html
  • CWE-732: https://cwe.mitre.org/data/definitions/732.html

CVSS v3
5.5
EG Score
5.5(low)
EPSS
KEV
Not listed

Published

June 26, 2026

Last Modified

June 26, 2026

Vendor Advisories for CVE-2026-48790(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 7× in last 7d / 11× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-06 09:00 UTCEG score recompute
  2. 2026-07-05 10:11 UTCEG score recompute
  3. 2026-07-04 11:28 UTCEG score recompute
  4. 2026-07-03 12:46 UTCEG score recompute
  5. 2026-07-02 13:57 UTCEG score recompute
  6. 2026-07-01 15:14 UTCEG score recompute
  7. 2026-06-30 16:32 UTCEG score recompute
  8. 2026-06-29 17:50 UTCEG score recompute
  9. 2026-06-28 19:06 UTCEG score recompute
  10. 2026-06-27 20:23 UTCEG score recompute
  11. 2026-06-26 21:41 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-48790?
CVE-2026-48790 is a medium vulnerability published on June 26, 2026. turso-cli persists Turso platform JWT with world-readable (0o644) file permissions Summary turso-cli persists the user's Turso platform JWT to settings.json using Viper's default configPermissions of 0o644, leaving the credential file world-readable on standard Linux and macOS systems. Any other…
When was CVE-2026-48790 disclosed?
CVE-2026-48790 was first published in the National Vulnerability Database on June 26, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-48790?
CVE-2026-48790 has a CVSS v4.0 base score of 5.5 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-48790?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-48790, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-48790

Explore →

Is Your Infrastructure Affected by CVE-2026-48790?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.