{"id":"CVE-2024-28120","summary":"API key leak in codeium-chrome","details":"codeium-chrome is an open source code completion plugin for the chrome web browser. The service worker of the codeium-chrome extension doesn't check the sender when receiving an external message. This allows an attacker to host a website that will steal the user's Codeium api-key, and thus impersonate the user on the backend autocomplete server. This issue has not been addressed. Users are advised to monitor the usage of their API key.","aliases":["GHSA-8c7j-2h97-q63p"],"modified":"2026-03-14T12:27:56.633364Z","published":"2024-03-11T21:14:22.675Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-200","CWE-284"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/28xxx/CVE-2024-28120.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/28xxx/CVE-2024-28120.json"},{"type":"ADVISORY","url":"https://github.com/Exafunction/codeium-chrome/security/advisories/GHSA-8c7j-2h97-q63p"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28120"},{"type":"ADVISORY","url":"https://securitylab.github.com/advisories/GHSL-2024-027_GHSL-2024-028_codeium-chrome"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/exafunction/codeium-chrome","events":[{"introduced":"0"},{"last_affected":"53351b4b3dba1da3d3f50e3b2cd5c7eb3db3da6e"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.2.52"}]}}],"versions":["1.2.52"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-28120.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}]}