CVE-2026-1063
BaseFortify
Publication date: 2026-01-17
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bastillion-io | bastillion | to 4.0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1063 is a command injection vulnerability in bastillion-io Bastillion versions up to 4.0.1, specifically in the Public Key Management System component (AuthKeysKtrl.java). Authenticated users with privileges to upload public keys can embed malicious commands within these keys. When the system processes these keys during SSH key distribution, the embedded commands are executed remotely, allowing attackers to run arbitrary commands on the system. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized remote command execution on affected systems, potentially compromising confidentiality, integrity, and availability. Attackers can execute arbitrary commands remotely after authenticating, which may result in system compromise, data breaches, or disruption of services. [2, 1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unauthorized or suspicious command execution related to public key management operations in bastillion-io Bastillion up to version 4.0.1. Since the vulnerability allows command injection via specially crafted public keys, you can audit logs for unusual commands executed during SSH key distribution. Additionally, checking for uploads of public keys containing suspicious payloads may help. Specific commands are not provided in the resources, but general approaches include reviewing Bastillion logs and using system auditing tools to detect unexpected command executions triggered by public key uploads. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or disabling the ability for users to upload public keys until a fix or patch is available, monitoring and auditing key management activities closely, and considering replacement of bastillion-io Bastillion with an alternative product as no known mitigations or patches have been provided by the vendor. Applying strict access controls to limit who can upload keys and reviewing all public keys for malicious content before acceptance are also recommended. [2]