External risk intelligence

Sensitive Data Exposure Vulnerability in API and Local Database

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-7166

The vulnerability involves an API endpoint that exposes sensitive user data, including email addresses and phone numbers. APIs of this nature are commonly deployed as internet-facing services to facilitate data exchange, making it likely that such an interface would be reachable from the public internet in standard deployments.

Information Disclosure

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability involves the unauthorized exposure of sensitive user data, including email and phone numbers, through an API and local database. This could allow attackers to access confidential information without proper authentication.

  • Sensitive data exposed via API and database.
  • Important for understanding potential data breaches.
  • Confirm relevance and assess exposure to sensitive data.

Attack Path

How an attacker could exploit the issue

An attacker can access sensitive user information, including email addresses, phone numbers, and data concerning minors and municipal users, by targeting an API that exposes this data without adequate protection. This vulnerability extends to a local database where similar sensitive information is accessible.

  • Unauthenticated remote access is required.
  • The API exposes email and phone number fields.
  • Access to sensitive user and municipal data.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could expose sensitive user data, including email addresses and phone numbers, through an unprotected API. The local database may also contain accessible sensitive information. Under supported conditions, an unauthenticated remote attacker could gain access to this data.

  • Email and phone number data at risk.
  • Unprotected API exposure is possible.
  • Unauthorized access to sensitive data.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability, involving an API that exposes sensitive user data like email addresses and phone numbers, likely falls under the responsibility of application owners or platform teams who manage the API's development and deployment. The first practical step is to identify all instances of this API, confirm its exposure and criticality, and then engage the accountable owner to plan remediation based on the identified risk.

  • Application or platform teams should own.
  • Verify API exposure and data sensitivity.
  • Plan risk-based remediation actions.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the software associated with CVE-2026-7166?

CVE-2026-7166 affects a system known as the Assassin Game, identified in vulnerability research notices. This application utilizes an API and a local database to manage user information, including specialized records for municipal users and minors. It is designed to facilitate data exchange for these users, though its current configuration fails to sufficiently protect sensitive personal details.

What does CWE-200 mean for this vulnerability?

CWE-200 is the weakness class for Exposure of Sensitive Information to an Unauthorized Actor. In the context of CVE-2026-7166, it means the application is revealing private data—such as email addresses and phone numbers—without verifying who is requesting it. Instead of keeping this information restricted, the system makes it accessible to anyone who can reach the affected API or local database, bypassing standard privacy controls.

How can an attacker trigger this data exposure?

An attacker triggers this vulnerability by sending remote, unauthenticated requests to the API endpoints that house the unprotected user data. The vulnerability relies on the system failing to require login credentials or session tokens before serving information. It is important to note that this is not triggered by user-level actions like clicking a link; rather, it is a backend flaw where the system simply provides the data if the correct request is sent to the interface.

Is my system at risk of this API data exposure?

According to Halo Surface Signal, this vulnerability is considered likely to be reachable from the public internet. Because the API is designed to exchange information, it is often deployed in internet-facing configurations by default. If your deployment makes this interface accessible to the public, the risk of unauthorized data access is significantly higher compared to services restricted to internal, private networks.

What should I do if I run this technology?

The first step is to locate all instances of the application within your infrastructure and determine if the API is currently reachable from the internet. Once you have identified these components, you should coordinate with the teams managing the application development or platform deployment. They need to verify the specific exposure points and prioritize securing the API and database to prevent unauthorized access to the stored sensitive information.

References