CVE-2026-48722: nextflow auth login command has incorrect default permissions

nextflow auth login persists Seqera Platform OIDC tokens to ${NXF_HOME:-~/.nextflow}/seqera-auth.config. The file is created via Java NIO without specifying file permissions, so under the default umask 022 it lands at mode 0644 (world-readable).

On a multi-user POSIX host — typically an HPC login node, shared workstation, or jump host — any local user able to traverse the victim’s home directory can read the file and obtain a valid Platform bearer token, enabling impersonation against Seqera Platform within the token’s scope.

Single-user systems and headless CI runners, which do not invoke the interactive login flow, are not affected.

Affected versions: 25.09.2-edge through 26.04.1.