CVE-2026-48722

Name of the Vulnerable Software and Affected Versions Nextflow versions 25.09.2-edge through 26.04.1

Description The nextflow auth login command persists Seqera Platform OIDC tokens to the ${NXF HOME:-~/.nextflow}/seqera-auth.config file. Because the file is created via Java NIO without specifying permissions, it is created with mode 0644 under the default umask 022, making it world-readable. On multi-user POSIX hosts, such as HPC login nodes or shared workstations, any local user who can traverse the victim's home directory can read this file to obtain a valid Platform bearer token and impersonate the user within the token's scope.

Recommendations Update to the patched version. As a temporary workaround, restrict the file and its parent directory by running chmod 600 "${NXF HOME:-$HOME/.nextflow}/seqera-auth.config" and chmod 700 "${NXF HOME:-$HOME/.nextflow}". Alternatively, provide the Platform token via the TOWER ACCESS TOKEN environment variable instead of using the nextflow auth login command. After upgrading, run nextflow auth logout, revoke the token in the Seqera Platform UI, and run nextflow auth login again.