HIGH · CVSS 7.8
Class vulnerability — OpenAI Assistants API thread history leakage via leaked key
Leaked OpenAI key with team-account scope can read every Assistant thread + attached file.
Affects
- OpenAI Assistants API users with leaked keys
What an attacker does
LLMjacking attacker with leaked sk-proj- key calls /v1/threads/<thread_id>/messages — extracts customer conversation history + attached files.
How to detect
Audit Assistants thread-history retention policy + key scope
How to fix
Rotate leaked key; reduce per-key scope to inference-only; set thread-history retention to minimum
Securie findinghigh · CVSS 7.8
CVE-2024-XXXXHow Securie catches CVE-2024-XXXX
Securie's secret_scanner + secrets-lifecycle catch leaked key + flag rotation playbook.
Scan my repo for CVE-2024-XXXX →Securie scans every PR · free during early access