Kotaemon Plaintext Password Storage Vulnerability in localStorage
Vulnerability
A vulnerability exists in Kotaemon version 0.11.0, where passwords are stored in plaintext in the client's localStorage. This issue is compounded by a separate vulnerability (CVE-2025-56526) that allows for stored cross-site scripting (XSS) through unsanitized PDF content rendering. An authenticated user with document upload permissions can exploit this to steal credentials, leading to session hijacking and a loss of trust in the application's document processing.
Impact
Exploitation of this vulnerability allows for the theft of plaintext usernames and passwords from localStorage, resulting in unauthorized access to user accounts and associated data.
Reproduction
To reproduce this vulnerability, upload a PDF containing a crafted image or table that exploits the XSS vulnerability (CVE-2025-56526) by injecting a script that accesses localStorage. Once the PDF is uploaded and viewed, the script will execute, exfiltrating the stored credentials to an external server.
Remediation
Users are advised to monitor the official Kotaemon repository for security patches and to avoid uploading untrusted documents.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.