CVE-2026-54447

HIGHPre-NVD 8.48.4
EchelonGraph scoreLOW confidence

This high-severity CVE scores 8.4 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
8.4
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: CVSS: 8.4Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

garminconnect Has Insecure Permission Assignment for Garmin OAuth Token Store

Insecure Permission Assignment for Garmin OAuth Token Store

Summary

garminconnect (≤ 0.3.4) wrote its OAuth token store to disk without restricting file-system permissions. Under the default Linux umask (022) the token file garmin_tokens.json was created world-readable (0o644). The file contains the DI refresh token, so any other local user on a shared host could read it and obtain persistent, unauthorized access to the victim's Garmin Connect account.

  • Severity: High
  • Weakness: CWE-732 (Incorrect Permission Assignment for Critical Resource)
  • Affected versions: <= 0.3.4
  • Patched version: 0.3.5

Details

Client.dump() created the token directory and file with no mode argument, leaving permissions entirely to the process umask:

def dump(self, path: str) -> None:
    p = Path(path).expanduser()
    if p.is_dir() or not p.name.endswith(".json"):
        p = p / "garmin_tokens.json"
    p.parent.mkdir(parents=True, exist_ok=True)   # no mode=
    p.write_text(self.dumps())                     # no permission restriction

The serialized payload includes di_token, di_refresh_token, and di_client_id. The call is in the core library (Garmin.login(tokenstore=...) persists tokens this way), and all shipped usage examples default the token store to ~/.garminconnect.

Under umask 022 the resulting permissions were:

  • token directory → 0o755
  • garmin_tokens.json0o644 (world-readable)

A separate, unprivileged user on the same machine could read the file with a plain open() — no elevated privileges required — and extract the refresh token.

Impact

Local credential theft / privilege escalation on multi-user Linux or macOS hosts running under a permissive umask. The stolen refresh token can be exchanged for fresh access tokens via Garmin's OAuth endpoint, granting ongoing access to the victim's account (health/fitness data, activity history, device management) until the token is revoked.

Patch

Fixed in 0.3.5 (commit 77a3837). dump() now creates the directory as 0o700 and writes the token file as 0o600 regardless of umask — using os.open(..., O_CREAT|O_WRONLY|O_TRUNC, 0o600) with O_NOFOLLOW where available, plus a defensive chmod that also tightens a pre-existing loose file:

p.parent.mkdir(mode=0o700, parents=True, exist_ok=True)
with contextlib.suppress(OSError):
    p.parent.chmod(0o700)
flags = os.O_WRONLY | os.O_CREAT | os.O_TRUNC
if hasattr(os, "O_NOFOLLOW"):
    flags |= os.O_NOFOLLOW
fd = os.open(p, flags, 0o600)
with os.fdopen(fd, "w", encoding="utf-8") as f:
    f.write(self.dumps())
with contextlib.suppress(OSError):
    p.chmod(0o600)

Verified under umask 022: directory 0o700, file 0o600, no group/other access.

Workarounds

If you cannot upgrade immediately, restrict the token store manually and keep it owner-only:

chmod 700 ~/.garminconnect
chmod 600 ~/.garminconnect/garmin_tokens.json

Remediation

  • Upgrade to garminconnect >= 0.3.5:
pip install --upgrade garminconnect
  • Fix any token file already on disk — upgrading only tightens permissions
on the *next* write, so an existing world-readable file stays exposed until then:
chmod 600 ~/.garminconnect/garmin_tokens.json
   # or remove it and log in again to mint a fresh token store
  • **If the file was exposed on a shared host, treat the refresh token as
compromised.** Re-authenticate (delete the token store and log in again) so a new token is issued; consider the previously stored token potentially read by others until rotated.

Credit

Reported by EQSTLab via a private security advisory. garminconnect thanks them for the detailed, responsible disclosure.

CVSS v3
8.4
EG Score
8.4(low)
EPSS
KEV
Not listed

Published

July 15, 2026

Last Modified

July 15, 2026

Vendor Advisories for CVE-2026-54447(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 1× in last 7d / 1× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-15 17:54 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-54447?
CVE-2026-54447 is a high vulnerability published on July 15, 2026. garminconnect Has Insecure Permission Assignment for Garmin OAuth Token Store Insecure Permission Assignment for Garmin OAuth Token Store Summary garminconnect (≤ 0.3.4) wrote its OAuth token store to disk without restricting file-system permissions. Under the default Linux umask (022) the token…
When was CVE-2026-54447 disclosed?
CVE-2026-54447 was first published in the National Vulnerability Database on July 15, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-54447?
CVE-2026-54447 has a CVSS v4.0 base score of 8.4 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-54447?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-54447, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-54447

Explore →

Is Your Infrastructure Affected by CVE-2026-54447?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.