CVE-2026-54447

CVE-2026-54447 is a high-severity incorrect permission assignment for critical resource vulnerability in garminconnect (pip), affecting versions <= 0.3.4. It is fixed in 0.3.5.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

garminconnect Has Insecure Permission Assignment for Garmin OAuth Token Store

Insecure Permission Assignment for Garmin OAuth Token Store

garminconnect (≤ 0.3.4) wrote its OAuth token store to disk without restricting file-system permissions. Under the default Linux umask (022) the token file garmin_tokens.json was created world-readable (0o644). The file contains the DI refresh token, so any other local user on a shared host could read it and obtain persistent, unauthorized access to the victim's Garmin Connect account.

  • Severity: High
  • Weakness: CWE-732 (Incorrect Permission Assignment for Critical Resource)
  • Affected versions: <= 0.3.4
  • Patched version: 0.3.5

Details

Client.dump() created the token directory and file with no mode argument, leaving permissions entirely to the process umask:

def dump(self, path: str) -> None:
    p = Path(path).expanduser()
    if p.is_dir() or not p.name.endswith(".json"):
        p = p / "garmin_tokens.json"
    p.parent.mkdir(parents=True, exist_ok=True)   # no mode=
    p.write_text(self.dumps())                     # no permission restriction

The serialized payload includes di_token, di_refresh_token, and di_client_id. The call is in the core library (Garmin.login(tokenstore=...) persists tokens this way), and all shipped usage examples default the token store to ~/.garminconnect.

Under umask 022 the resulting permissions were:

  • token directory → 0o755
  • garmin_tokens.json0o644 (world-readable)

A separate, unprivileged user on the same machine could read the file with a plain open(), no elevated privileges required, and extract the refresh token.

Workarounds

If you cannot upgrade immediately, restrict the token store manually and keep it owner-only:

chmod 700 ~/.garminconnect
chmod 600 ~/.garminconnect/garmin_tokens.json

Remediation

  1. Upgrade to garminconnect >= 0.3.5:
    pip install --upgrade garminconnect
    
  2. Fix any token file already on disk, upgrading only tightens permissions
    on the next write, so an existing world-readable file stays exposed until
    then:
    chmod 600 ~/.garminconnect/garmin_tokens.json
    # or remove it and log in again to mint a fresh token store
    
  3. If the file was exposed on a shared host, treat the refresh token as
    compromised.
    Re-authenticate (delete the token store and log in again) so
    a new token is issued; consider the previously stored token potentially
    read by others until rotated.

Credit

Reported by EQSTLab via a private security advisory. garminconnect thanks them for the detailed, responsible disclosure.

Impact

Local credential theft / privilege escalation on multi-user Linux or macOS hosts running under a permissive umask. The stolen refresh token can be exchanged for fresh access tokens via Garmin's OAuth endpoint, granting ongoing access to the victim's account (health/fitness data, activity history, device management) until the token is revoked.

A file, directory, or other resource is assigned permissions that allow broader access than intended. Typical impact: unauthorized read, modification, or execution of the resource.

CVE-2026-54447 has a CVSS score of 8.4 (High). The vector is requires local access, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.3.5); upgrading removes the vulnerable code path.

Affected versions

garminconnect (<= 0.3.4)

Security releases

garminconnect → 0.3.5 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Fixed in 0.3.5 (commit 77a3837). dump() now creates the directory as 0o700 and writes the token file as 0o600 regardless of umask, using os.open(..., O_CREAT|O_WRONLY|O_TRUNC, 0o600) with O_NOFOLLOW where available, plus a defensive chmod that also tightens a pre-existing loose file:

p.parent.mkdir(mode=0o700, parents=True, exist_ok=True)
with contextlib.suppress(OSError):
    p.parent.chmod(0o700)
flags = os.O_WRONLY | os.O_CREAT | os.O_TRUNC
if hasattr(os, "O_NOFOLLOW"):
    flags |= os.O_NOFOLLOW
fd = os.open(p, flags, 0o600)
with os.fdopen(fd, "w", encoding="utf-8") as f:
    f.write(self.dumps())
with contextlib.suppress(OSError):
    p.chmod(0o600)

Verified under umask 022: directory 0o700, file 0o600, no group/other access.

Frequently Asked Questions

  1. What is CVE-2026-54447? CVE-2026-54447 is a high-severity incorrect permission assignment for critical resource vulnerability in garminconnect (pip), affecting versions <= 0.3.4. It is fixed in 0.3.5. A file, directory, or other resource is assigned permissions that allow broader access than intended.
  2. How severe is CVE-2026-54447? CVE-2026-54447 has a CVSS score of 8.4 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of garminconnect are affected by CVE-2026-54447? garminconnect (pip) versions <= 0.3.4 is affected.
  4. Is there a fix for CVE-2026-54447? Yes. CVE-2026-54447 is fixed in 0.3.5. Upgrade to this version or later.
  5. Is CVE-2026-54447 exploitable, and should I be worried? Whether CVE-2026-54447 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-54447 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-54447? Upgrade garminconnect to 0.3.5 or later.

Stop the waste.
Protect your environment with Kodem.