PYSEC-2026-1807

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/pubnub/PYSEC-2026-1807.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1807
Aliases
Published
2026-07-07T11:45:28.184221Z
Modified
2026-07-07T17:56:14.430840384Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
pubnub Insufficient Entropy vulnerability
Details

Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versions of the package github.com/pubnub/go; versions of the package github.com/pubnub/go/v7 before 7.2.0; versions of the package pubnub before 7.3.0; versions of the package pubnub/pubnub before 6.1.0; versions of the package pubnub before 5.3.0; versions of the package pubnub before 0.4.0; versions of the package pubnub/c-core before 4.5.0; versions of the package com.pubnub:pubnub-kotlin before 7.7.0; versions of the package pubnub/swift before 6.2.0; versions of the package pubnub before 5.2.0; versions of the package pubnub before 4.3.0 are vulnerable to Insufficient Entropy via the getKey function, due to inefficient implementation of the AES-256-CBC cryptographic algorithm. The provided encrypt function is less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message or file.

Note:

In order to exploit this vulnerability, the attacker needs to invest resources in preparing the attack and brute-force the encryption.

References

Affected packages

PyPI / pubnub

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.3.0

Affected versions

3.*
3.3
3.3.1
3.3.2
3.3.4
3.3.5
3.5.0
3.5.1
3.5.2
3.5.3
3.7.0
3.7.1
3.7.2
3.7.3
3.7.4
3.7.5
3.7.6
3.7.7
3.7.8
3.8.0
3.8.1
3.8.2
3.8.3
3.9.0
4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.0.9
4.0.10
4.0.11
4.0.12
4.0.13
4.1.0
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.1.7
4.2.0
4.2.1
4.3.0
4.4.0
4.5.0
4.5.1
4.5.2
4.5.3
4.5.4
4.6.0
4.6.1
4.7.0
4.8.0
4.8.1
5.*
5.0.0
5.0.1
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.2.0
5.2.1
5.3.0
5.3.1
5.4.0
5.5.0
6.*
6.0.0
6.0.1
6.1.0
6.2.0
6.3.0
6.3.1
6.3.2
6.3.3
6.4.0
6.4.1
6.5.0
6.5.1
7.*
7.0.0
7.0.1
7.0.2
7.1.0
7.2.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/pubnub/PYSEC-2026-1807.yaml"