Canarytoken Self-Attack Possible with Older Versions

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

1.3

Canarytoken Self-Attack Possible with Older Versions

CVE-2026-28355

Summary

Older versions of Canarytoken's Progressive Web App (PWA) feature allow the creator to inject malicious code into their own token, which can execute when they or someone else opens the installation link. This can happen if you or others click on an older version of a PWA Canarytoken. To fix this, update your self-hosted Canarytoken installation to the latest Docker image, or any version after sha-7ff0e12.

Original title

Original description

Canarytokens help track activity and actions on a network. Versions prior to `sha-7ff0e12` have a Self Cross-Site Scripting vulnerability in the "PWA" Canarytoken, whereby the Canarytoken's creator can attack themselves or someone they share the link with. The creator of a PWA Canarytoken can insert Javascript into the title field of their PWA token. When the creator later browses the installation page for their own Canarytoken, the Javascript executes. This is a self-XSS. An attacker could create a Canarytoken with this self-XSS, and send the install link to a victim. When they click on it, the Javascript would execute. However, no sensitive information (ex. session information) will be disclosed to the malicious actor. This issue is now patched on Canarytokens.org. Users of self-hosted Canarytokens installations can update by pulling the latest Docker image, or any Docker image after sha-7ff0e12.

nvd CVSS4.0 1.3

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://github.com/thinkst/canarytokens/security/advisories/GHSA-6734-fqcj-x5h3

Published: 27 Feb 2026 · Updated: 14 Mar 2026 · First seen: 6 Mar 2026