CVE-2026-1063
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-17

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in bastillion-io Bastillion up to 4.0.1. This vulnerability affects unknown code of the file src/main/java/io/bastillion/manage/control/AuthKeysKtrl.java of the component Public Key Management System. Such manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-17
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1063
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bastillion-io bastillion to 4.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1063 is a command injection vulnerability in bastillion-io Bastillion versions up to 4.0.1, specifically in the Public Key Management System component (AuthKeysKtrl.java). Authenticated users with privileges to upload public keys can embed malicious commands within these keys. When the system processes these keys during SSH key distribution, the embedded commands are executed remotely, allowing attackers to run arbitrary commands on the system. [1, 2]

Impact Analysis

This vulnerability can lead to unauthorized remote command execution on affected systems, potentially compromising confidentiality, integrity, and availability. Attackers can execute arbitrary commands remotely after authenticating, which may result in system compromise, data breaches, or disruption of services. [2, 1]

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized or suspicious command execution related to public key management operations in bastillion-io Bastillion up to version 4.0.1. Since the vulnerability allows command injection via specially crafted public keys, you can audit logs for unusual commands executed during SSH key distribution. Additionally, checking for uploads of public keys containing suspicious payloads may help. Specific commands are not provided in the resources, but general approaches include reviewing Bastillion logs and using system auditing tools to detect unexpected command executions triggered by public key uploads. [1, 2]

Mitigation Strategies

Immediate mitigation steps include restricting or disabling the ability for users to upload public keys until a fix or patch is available, monitoring and auditing key management activities closely, and considering replacement of bastillion-io Bastillion with an alternative product as no known mitigations or patches have been provided by the vendor. Applying strict access controls to limit who can upload keys and reviewing all public keys for malicious content before acceptance are also recommended. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1063. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart