garminconnect Has Insecure Permission Assignment for Garmin OAuth Token Store
garminconnect (≤ 0.3.4) wrote its OAuth token store to disk without restricting file-system permissions. Under the default Linux umask (022) the token file garmin_tokens.json was created world-readable (0o644). The file contains the DI refresh token, so any other local user on a shared host could read it and obtain persistent, unauthorized access to the victim's Garmin Connect account. Severity: High Weakness: CWE-732 (Incorrect Permission Assignment for Critical Resource) Affected versions: …