← Back to CVE List
CVE-2026-48722NVD
Vulnerability Summary
### Impact
`nextflow auth login` persists Seqera Platform OIDC tokens to `${NXF_HOME:-~/.nextflow}/seqera-auth.config`. The file is created via Java NIO without specifying file permissions, so under the default `umask 022` it lands at mode `0644` (world-readable).
On a multi-user POSIX host — typically an HPC login node, shared workstation, or jump host — any local user able to traverse the victim's home directory can read the file and obtain a valid Platform bearer token, enabling impersonation against Seqera Platform within the token's scope.
Single-user systems and headless CI runners, which do not invoke the interactive login flow, are not affected.
Affected versions: `25.09.2-edge` through `26.04.1`.
### Patches
Fixed in `<PATCHED_VERSION>`. The patched code applies mode `0600` to `seqera-auth.config` immediately after writing it, and re-applies on every subsequent login so any pre-existing world-readable copy left by an earlier version is tightened.
Tokens previously stored in the file must be treated as disclosed. After upgrading, run `nextflow auth logout`, revoke the token in the Seqera Platform UI, and run `nextflow auth login` again.
### Workarounds
Restrict the file and its parent directory:
`chmod 600 "${NXF_HOME:-$HOME/.nextflow}/seqera-auth.config"`
`chmod 700 "${NXF_HOME:-$HOME/.nextflow}"`
Alternatively, supply the Platform token via the `TOWER_ACCESS_TOKEN` environment variable instead of running `nextflow auth login`.
### References
- https://cwe.mitre.org/data/definitions/276.html
`nextflow auth login` persists Seqera Platform OIDC tokens to `${NXF_HOME:-~/.nextflow}/seqera-auth.config`. The file is created via Java NIO without specifying file permissions, so under the default `umask 022` it lands at mode `0644` (world-readable).
On a multi-user POSIX host — typically an HPC login node, shared workstation, or jump host — any local user able to traverse the victim's home directory can read the file and obtain a valid Platform bearer token, enabling impersonation against Seqera Platform within the token's scope.
Single-user systems and headless CI runners, which do not invoke the interactive login flow, are not affected.
Affected versions: `25.09.2-edge` through `26.04.1`.
### Patches
Fixed in `<PATCHED_VERSION>`. The patched code applies mode `0600` to `seqera-auth.config` immediately after writing it, and re-applies on every subsequent login so any pre-existing world-readable copy left by an earlier version is tightened.
Tokens previously stored in the file must be treated as disclosed. After upgrading, run `nextflow auth logout`, revoke the token in the Seqera Platform UI, and run `nextflow auth login` again.
### Workarounds
Restrict the file and its parent directory:
`chmod 600 "${NXF_HOME:-$HOME/.nextflow}/seqera-auth.config"`
`chmod 700 "${NXF_HOME:-$HOME/.nextflow}"`
Alternatively, supply the Platform token via the `TOWER_ACCESS_TOKEN` environment variable instead of running `nextflow auth login`.
### References
- https://cwe.mitre.org/data/definitions/276.html
CVSS v3.1 Base Metrics
Attack VectorLocal
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityNone
AvailabilityNone