PYSEC-2026-1902

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/salt/PYSEC-2026-1902.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1902
Aliases
Published
2026-07-07T16:03:21.156662Z
Modified
2026-07-07T17:48:09.469233771Z
Severity
  • 6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L CVSS Calculator
  • 7.5 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Salt Authentication Protocol Version Downgrade Allows Minion Impersonation
Details

Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer authentication/security features by using an older request payload format, enabling minion impersonation and circumventing protections introduced in response to prior issues.

References

Affected packages

PyPI / salt

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3006.12
Fixed
3006.17
Introduced
3007.4
Fixed
3007.9

Affected versions

3006.*
3006.12
3006.13
3006.14
3006.15
3006.16
3007.*
3007.4
3007.5
3007.6
3007.7
3007.8

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/salt/PYSEC-2026-1902.yaml"