{"id":"PYSEC-2026-696","summary":"Information disclosure vulnerability in OnionShare","details":"An information disclosure vulnerability in OnionShare 2.3 before 2.4 allows remote unauthenticated attackers to retrieve the full list of participants of a non-public OnionShare node via the --chat feature. ","aliases":["CVE-2021-41867","GHSA-6rvj-pw9w-jcvc"],"modified":"2026-07-06T08:00:49.185608625Z","published":"2026-07-02T14:13:13.896919Z","references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41867"},{"type":"PACKAGE","url":"https://github.com/onionshare/onionshare"},{"type":"WEB","url":"https://github.com/onionshare/onionshare/compare/v2.3.3...v2.4"},{"type":"WEB","url":"https://www.ihteam.net/advisory/onionshare"},{"type":"PACKAGE","url":"https://pypi.org/project/onionshare-cli"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-6rvj-pw9w-jcvc"}],"affected":[{"package":{"name":"onionshare-cli","ecosystem":"PyPI","purl":"pkg:pypi/onionshare-cli"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.3"},{"fixed":"2.4"}]}],"versions":["2.3","2.3.1","2.3.2","2.3.3"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/onionshare-cli/PYSEC-2026-696.yaml"}}],"schema_version":"1.7.5"}