PYSEC-2026-1893

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/salt/PYSEC-2026-1893.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1893
Aliases
Published
2026-07-07T16:02:54.928384Z
Modified
2026-07-07T17:47:49.494192344Z
Severity
  • 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Salt's salt.auth.pki module does not properly authenticate callers
Details

The salt.auth.pki module does not properly authenticate callers. The "password" field contains a public certificate which is validated against a CA certificate by the module. This is not pki authentication, as the caller does not need access to the corresponding private key for the authentication attempt to be accepted.

References

Affected packages

PyPI / salt

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3006.0rc1
Fixed
3006.12
Introduced
3007.0rc1
Fixed
3007.4

Affected versions

3006.*
3006.0rc1
3006.0rc2
3006.0rc3
3006.0
3006.1
3006.2
3006.3
3006.4
3006.5
3006.6
3006.7
3006.8
3006.9
3006.10
3006.11
3007.*
3007.0rc1
3007.0
3007.1
3007.2
3007.3

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/salt/PYSEC-2026-1893.yaml"