HIGH 7.3

CVE-2026-8876: Hardcoded AES Keys in Securly Chrome Extension 3.0.7

Securly version 3.0.7 of their Chrome Extension contains hardcoded encryption keys embedded directly in the minified JavaScript file. These keys are meant to protect sensitive data like crisis alert keywords and intervention site configurations, but because they're hardcoded and visible in the browser extension code, anyone with access to the extension can decrypt that data. This is a classic case of storing secrets where they shouldn't be stored—effectively rendering the encryption useless.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-798
Affected products
1 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

Version 3.0.7 of the Securly Chrome Extension contains hardcoded, plaintext AES passphrases in securly.min.js. These keys decrypt crisis alert keyword data and intervention site data.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-8876 involves the exposure of plaintext AES passphrases within securly.min.js in Securly Chrome Extension version 3.0.7. These hardcoded credentials are used to decrypt two categories of sensitive configuration data: crisis alert keyword definitions and intervention site lists. The vulnerability falls under CWE-798 (Use of Hardcoded Credentials). An attacker who obtains the extension code—either through direct inspection, decompilation, or network interception—can extract the keys and decrypt the protected datasets without authentication or privilege escalation. The CVSS 3.1 score of 7.3 (HIGH) reflects the combination of network accessibility, low attack complexity, no privilege requirement, and resulting confidentiality and integrity impacts.

Business impact

Organizations deploying Securly for student/employee monitoring face compromise of their crisis intervention strategy and filter configuration. If crisis keywords and monitored site lists are exposed, threat actors could learn which behaviors or web domains trigger alerts, enabling evasion. Compromised site blocklists could be reverse-engineered to identify organizational security policies. Additionally, the incident undermines trust in the extension as a security tool and exposes the organization to regulatory or reputational risk if sensitive behavioral data becomes public. For Securly's reputation, this represents a fundamental security architecture failure that could accelerate customer churn.

Affected systems

Securly Chrome Extension version 3.0.7 is the confirmed affected release. Users of earlier or later versions should verify their build number against Securly's security advisory, as the vendor's patch timeline and backport strategy will determine the full scope of vulnerable installations in the wild.

Exploitability

Exploitation requires minimal resources. An attacker only needs to access the extension code, which is feasible through browser developer tools, extension extraction, or supply-chain interception. No user interaction, server compromise, or advanced reverse-engineering is required. The barrier to extracting the hardcoded keys and decrypting the protected data is very low, making this a practical vulnerability for determined adversaries. The absence of KEV designation does not reflect low exploitability—it reflects whether CISA has evidence of active in-the-wild exploitation, which may lag behind actual threat activity.

Remediation

Securly must immediately release a patched version that removes hardcoded keys from the extension code and transitions to a secure key derivation or key management approach—for example, deriving keys from user-specific or device-specific values, or fetching keys from a secure backend during extension initialization. Users should upgrade to the patched version as soon as it is available. Organizations should audit their deployed versions to identify systems still running 3.0.7 and enforce automatic or manual updates through Chrome policies or device management.

Patch guidance

Monitor Securly's official security advisory for the specific patch version number and release timeline. Once available, deploy the update through Chrome's auto-update mechanism or enforce it via organizational policies (e.g., ExtensionInstallForcelist or equivalent endpoint management controls). Verify that the patched version is installed across all user endpoints before considering the vulnerability remediated. Document the update deployment for compliance records.

Detection guidance

Network and endpoint teams should look for suspicious decryption activity or unauthorized access attempts to Securly extension files. Browser extension monitoring tools can flag modifications or unexpected access to securly.min.js. Additionally, organizations can audit installed extension versions via Chrome management consoles or endpoint detection and response (EDR) platforms to identify systems still on version 3.0.7. Log any extraction of extension code from user workstations, as this activity pattern may indicate adversary reconnaissance.

Why prioritize this

Although not yet on CISA's KEV list, this vulnerability warrants urgent prioritization due to its high CVSS score, trivial exploitability, and strategic value to adversaries seeking to understand or circumvent organizational monitoring policies. The hardcoding of credentials is a severe architectural flaw that requires immediate remediation. Any organization using Securly for security monitoring should treat this as a critical patch candidate.

Risk score, explained

The CVSS 3.1 score of 7.3 (HIGH) reflects: (1) network accessibility with low attack complexity, (2) no authentication or user interaction required, (3) confidentiality impact through exposure of encrypted configuration data, (4) integrity impact if an attacker manipulates decrypted data before re-encryption or uses the plaintext keys to forge data, and (5) potential availability impact if the extension's core functionality is disrupted. The score appropriately elevates this beyond medium severity due to the combination of ease of exploitation and the sensitivity of the affected data.

Frequently asked questions

Can we detect if an attacker has already extracted the keys from our deployed extensions?

Direct detection of past key extraction is difficult without comprehensive logging of extension file access. However, you can identify systems running the vulnerable version 3.0.7 and assume exposure risk. Post-patch, monitor for unusual decryption or encryption operations and review any alerts or interventions that do not match your expected security policies, as these may indicate tampering.

Does this vulnerability allow remote code execution or full extension compromise?

This vulnerability specifically exposes hardcoded credentials used to decrypt configuration data. It does not directly enable remote code execution or complete browser compromise. However, the extracted keys and decrypted data can be weaponized to craft targeted attacks or evasion strategies against the organization's monitoring infrastructure.

If we update to the patched version, do we need to rotate or change our crisis keywords and monitored site lists?

Updating the extension addresses the code-level vulnerability, but it does not eliminate the risk that the plaintext data extracted from the previous version is already in an attacker's possession. Consider this in your risk model: if you believe attackers accessed your configuration during the vulnerability window, updating the extension alone may not prevent evasion based on previously obtained data. A more thorough response includes reviewing and potentially updating your monitoring policies after patch deployment.

Why wasn't this vulnerability caught in code review or security testing before release?

This is a critical failure in the vendor's secure development lifecycle. Hardcoded secrets in production code are a fundamental anti-pattern that should be flagged by static analysis tools, code review checklists, and security testing. Securly's failure to catch this suggests gaps in their tooling, process rigor, or security training.

This analysis is based on published vulnerability data as of the modification date (2026-06-17). Patch availability, vendor timelines, and organizational impact may evolve. Verify all remediation guidance against official Securly security advisories and your organization's specific deployment. SEC.co does not provide legal, compliance, or specific tactical incident response advice; consult your security team, legal counsel, and vendor support as needed. No exploit code or weaponized proof-of-concept is provided or endorsed. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).