CVE-2025-52493
CVE-2025-52493
Stored secrets exposed in webpage DOM at configuration page
An information disclosure vulnerability was identified in the Runbook Automation configuration interface where stored secrets were transmitted to the client browser and only masked using HTML password input fields. The actual cleartext values of secrets were present in the page DOM and could be revealed by authenticated administrators through simple browser developer tools manipulation, such as changing an input field type from "password" to "text".
Impact
Runbook Automation versions prior to 5.14.0
This vulnerability affects the configuration page (/config/index) where secrets are displayed. An authenticated administrator with access to the configuration page could extract all stored secrets by inspecting and modifying the page's HTML elements. These exposed secrets could include API keys, service account credentials, or other sensitive tokens that provide access to integrated systems and services.
Patches
Patched versions: 5.14.0
This vulnerability has been remediated in Runbook Automation version 5.14.0. The fix ensures that secret values are no longer transmitted to the client browser for display purposes.
Workarounds
Upgrade to Runbook Automation version 5.14.0 or later. No workarounds are available for earlier versions.
For more information
If you have any questions or comments about this advisory:
- Open an issue in our forums
- Enterprise Customers can open a Support ticket