CVE-2026-1064
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-17

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in bastillion-io Bastillion up to 4.0.1. This issue affects some unknown processing of the file src/main/java/io/bastillion/manage/control/SystemKtrl.java of the component System Management Module. Performing a manipulation results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-17
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1064
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
bastillion-io bastillion to 4.0.1 (inc)
bastillion-io bastillion_ssh_key_manager to 4.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1064 is a command injection vulnerability in bastillion-io Bastillion versions up to 4.0.1, specifically in the System Management Module's handling of the authorized_keys path parameter in the file SystemKtrl.java. Authenticated users with system creation or edit privileges can inject malicious commands via this parameter, which are then executed remotely during SSH key distribution. This occurs because the product constructs commands using externally influenced input without properly neutralizing special characters, allowing remote attackers to execute arbitrary commands. The vulnerability requires authentication but can be exploited remotely, and a public proof-of-concept exploit is available. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing an authenticated attacker with certain privileges to execute arbitrary commands remotely on your system. This can compromise the confidentiality, integrity, and availability of your system, potentially leading to unauthorized access, data manipulation, or disruption of services. Since the commands are executed during SSH key distribution, it could also affect remote systems connected via SSH. [1, 2]

Detection Guidance

Detection of this vulnerability involves monitoring for unusual command execution patterns related to the authorized_keys path parameter in the System Management Module of bastillion-io Bastillion up to version 4.0.1. Since exploitation requires authentication and involves command injection, you can audit logs for suspicious commands or unauthorized modifications to SSH key distribution processes. Specific commands are not provided in the resources, but general approaches include reviewing Bastillion logs for anomalies, checking for unexpected commands executed remotely, and monitoring for changes in the authorized_keys path parameter. Additionally, scanning for the presence of the vulnerable version (up to 4.0.1) can help identify at-risk systems. [1, 2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the Bastillion system to trusted users only, especially limiting users with system creation or edit privileges. Since no official patch or fix is available as of the disclosure date, users are advised to consider replacing the affected product or disabling the vulnerable System Management Module if possible. Monitoring and auditing for suspicious activity related to SSH key distribution and command execution is also recommended. Applying network-level protections such as firewall rules to limit remote access to Bastillion may reduce exposure. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1064. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart