—
PYSEC-2026-696
Information disclosure vulnerability in OnionShare
Details
An information disclosure vulnerability in OnionShare 2.3 before 2.4 allows remote unauthenticated attackers to retrieve the full list of participants of a non-public OnionShare node via the --chat feature.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / onionshare-cli
Introduced in:
2.3 Fixed in: 2.4 Fix
pip install --upgrade 'onionshare-cli>=2.4' References
- https://nvd.nist.gov/vuln/detail/CVE-2021-41867 [ADVISORY]
- https://github.com/onionshare/onionshare [PACKAGE]
- https://github.com/onionshare/onionshare/compare/v2.3.3...v2.4 [WEB]
- https://www.ihteam.net/advisory/onionshare [WEB]
- https://pypi.org/project/onionshare-cli [PACKAGE]
- https://github.com/advisories/GHSA-6rvj-pw9w-jcvc [ADVISORY]