Skip to main content

Mondoo Vulnerability Intelligence

Curated by Mondoo Research, enhanced with AI

Resources

Search Vulnerabilities
Trending CVEs
Browse Ecosystems
Terminology
Blog

Open Source

cnquery
cnspec

Star us on GitHub!

Company

Mondoo Platform
About
Contact

© 2026 Mondoo, Inc.

Privacy Policy Terms of Service Imprint

Vulnerability Intelligence

Vulnerability IntelligenceGHSA-vcf3-26xf-fw4m

GHSA-vcf3-26xf-fw4m

HIGH7.5

Salt Authentication Protocol Version Downgrade Allows Minion Impersonation

Published Jan 30, 2026

Modified 1 months ago

Fix available

Details

Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer authentication/security features by using an older request payload format, enabling minion impersonation and circumventing protections introduced in response to prior issues.

Affected Packages

salt

PyPI

Fixed in:

3006.17

salt

PyPI

Fixed in:

3007.9

References

https://docs.saltproject.io/en/latest/topics/releases/3006.17.html

https://docs.saltproject.io/en/latest/topics/releases/3007.9.html

https://github.com/advisories/GHSA-vcf3-26xf-fw4m

https://github.com/saltstack/salt

https://github.com/saltstack/salt/commit/3d5708acae16d039a1e2b5529c8e14a0d3255611

https://github.com/saltstack/salt/issues/68467

https://nvd.nist.gov/vuln/detail/CVE-2025-62349

Aliases

CVSS Analysis

CVSS v4.0

7.5

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Attack Requirements

PresentAT:P

Privileges Required

HighPR:H

User Interaction

NoneUI:N

Vulnerable System

Vuln. Confidentiality

HighVC:H

Vuln. Integrity

HighVI:H

Vuln. Availability

LowVA:L

Subsequent System

Subseq. Confidentiality

NoneSC:N

Subseq. Integrity

NoneSI:N

Subseq. Availability

NoneSA:N

7.5/CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Related

Ecosystems

Timeline

PublishedJan 30, 2026

ModifiedFeb 1, 2026

GHSA-vcf3-26xf-fw4m | Mondoo Vulnerability Intelligence