CVE-2026-10584: Graph Explorer HTTPS Fallback to HTTP Vulnerability
Graph Explorer versions prior to 3.0.1 contain a flaw in their proxy server that causes HTTPS connections to silently downgrade to unencrypted HTTP when certificate files are unavailable. An attacker positioned to intercept network traffic could potentially eavesdrop on sensitive information that was intended to be transmitted securely. This is a configuration-dependent issue—the vulnerability manifests only when certificates are missing—but the silent fallback behavior makes it particularly insidious because applications may not explicitly warn users that encryption has been disabled.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-319
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
Proxy server in Graph Explorer before 3.0.1 falls back to HTTP when certificate files are missing, which might allow remote threat actors to obtain sensitive information via interception of requests intended to be sent over HTTPS. To remediate this issue, users should upgrade to Graph Explorer v3.0.1 or later.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the proxy server component of Graph Explorer and stems from insecure fallback behavior related to missing TLS certificates (CWE-319: Cleartext Transmission of Sensitive Information). When the proxy server cannot locate or load required certificate files, instead of failing securely or raising an error, it reverts to HTTP. This allows network communications that should be protected by TLS to traverse the network in plaintext. An attacker capable of passive network interception—such as an adversary on the same network segment, a compromised ISP, or a rogue access point—could capture these unencrypted requests and extract sensitive data. The vector indicates this requires network access and non-default conditions (high attack complexity), but no user interaction or special privileges are needed once those conditions are met.
Business impact
If Graph Explorer is deployed in environments handling sensitive API requests, credentials, tokens, or authentication headers, this vulnerability could lead to credential compromise or unauthorized access to backend systems. The risk is amplified in scenarios where certificate provisioning is automated or where missing certificates might not be immediately noticed by operators. Organizations relying on Graph Explorer for development, testing, or production API exploration may inadvertently expose authentication material or API payloads to interception if certificates are misconfigured or not properly deployed.
Affected systems
Graph Explorer versions before 3.0.1 are vulnerable. No specific vendor distribution information was provided in the advisory. Organizations using Graph Explorer should verify their installed version immediately. The vulnerability does not affect Graph Explorer 3.0.1 and later.
Exploitability
Exploitation requires two conditions: (1) the target must be running a vulnerable version of Graph Explorer with missing certificate files, and (2) the attacker must be in a network position to intercept traffic (passive wiretapping on the network path). The CVSS score of 5.9 (MEDIUM) reflects the high confidentiality impact balanced against these preconditions. This is not a zero-click, remote code execution vulnerability; however, it does not require user interaction once the preconditions are met. An attacker cannot force certificate deletion, so exploitation depends on misconfigurations or deployment errors.
Remediation
Upgrade Graph Explorer to version 3.0.1 or later immediately. This version resolves the insecure fallback behavior. Ensure that TLS certificate files are properly provisioned and validated during deployment. As an interim mitigation before patching, verify that certificate files are present and accessible, and consider restricting Graph Explorer instances to isolated networks or authenticated access only.
Patch guidance
Apply Graph Explorer version 3.0.1 or any subsequent release. No intermediate patches for earlier major versions have been indicated. Verify the patch installation by confirming the version string and, if possible, testing that HTTPS connections fail gracefully rather than silently falling back to HTTP when certificates are unavailable. Establish certificate management practices to prevent this misconfiguration from recurring.
Detection guidance
Review Graph Explorer deployment configurations to identify instances running versions prior to 3.0.1. Monitor for missing or inaccessible certificate files in your Graph Explorer installation directories. Network detection is challenging because the traffic itself would appear as plaintext HTTP; focus detection efforts on configuration audits and version scanning. Check proxy server logs for any indications of certificate load failures or HTTP fallback events, if logging is enabled.
Why prioritize this
Although scored as MEDIUM severity, this vulnerability should be prioritized based on your organization's exposure. If Graph Explorer is used in production or handles sensitive API traffic, upgrade immediately. If it is confined to isolated development environments with non-sensitive traffic, the risk is lower but still warrants prompt patching to prevent future misconfiguration. The silent nature of the fallback and the ease of certificate misconfiguration make this a candidate for near-term remediation in any environment.
Risk score, explained
The CVSS 3.1 score of 5.9 reflects a high confidentiality impact (C:H) if interception occurs, but is tempered by high attack complexity (AC:H) due to the requirement for missing certificates and attacker network positioning. No integrity or availability impact is scored. The score is not adjusted for user interaction (UI:N) because once conditions are met, exploitation is automatic. This MEDIUM rating appropriately signals a serious issue that requires attention but acknowledges that real-world exploitation depends on specific deployment mistakes.
Frequently asked questions
Do I need to be on the same network as the target to exploit this?
Not necessarily. The attacker must be positioned to intercept traffic on the network path between the Graph Explorer client and server—this could be achieved through a rogue access point, compromised router, ISP-level interception, or a man-in-the-middle position. Passive eavesdropping on a shared network segment is a common scenario.
Will upgrading to 3.0.1 break my existing configuration?
Upgrading to 3.0.1 fixes the insecure fallback; however, if you are currently relying on HTTP fallback as a workaround for missing certificates, the upgrade will require you to properly provision TLS certificates before Graph Explorer will function. This is a security improvement, not a regression. Consult the Graph Explorer 3.0.1 release notes for any other breaking changes.
How can I tell if my Graph Explorer is vulnerable right now?
Check your installed version using the version command or by inspecting the application's about page. If it reports a version number below 3.0.1, you are vulnerable. Additionally, verify that your TLS certificate files are present and accessible in the expected locations. If certificates are missing and HTTP traffic is being generated, the vulnerability is active.
Is this vulnerability in the CISA KEV catalog?
No, this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities catalog, which means there is no confirmed evidence of active, real-world exploitation as of the advisory date. However, this should not lower your patching priority if Graph Explorer is in use in your environment.
This analysis is based on the CVE description and CVSS vector provided and should be treated as general guidance. Organizations must verify all facts, version numbers, and patch applicability against their deployed systems and the official vendor advisory. SEC.co does not guarantee the completeness or accuracy of third-party vendor information. No exploit code or weaponized proof-of-concept is provided herein. This analysis is for defensive and educational purposes only. Always test patches in a non-production environment before deploying to critical systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2023-52951MEDIUMSynology Note Station Client Cleartext Credential Transmission Vulnerability
- CVE-2026-25599MEDIUMOrca Heat Pump Unauthenticated HTTP and Stored XSS Vulnerability
- CVE-2026-36610MEDIUMMercusys AC12G EU Plaintext DDNS Credential Disclosure
- CVE-2026-43625MEDIUMCodexBar Session Cookie Leakage – Urgent Patch Required
- CVE-2026-34126HIGHTP-Link Tapo Unencrypted Bluetooth Setup Vulnerability – L535E, P300, D100C
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)