CVE-2026-31798
Received Received - Intake
Certificate Validation Flaw in JumpServer SMS API Enables MFA Code Interception

Publication date: 2026-03-13

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description
JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v4.10.16-lts, JumpServer improperly validates certificates in the Custom SMS API Client. When JumpServer sends MFA/OTP codes via Custom SMS API, an attacker can intercept the request and capture the verification code BEFORE it reaches the user's phone. This vulnerability is fixed in v4.10.16-lts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31798
EUVD
EUVD-2026-12081
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fit2cloud jumpserver to 4.10.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-31798 is a vulnerability in JumpServer's Custom SMS API client prior to version 4.10.16-lts. The issue is caused by improper validation of SSL/TLS certificates when JumpServer sends multi-factor authentication (MFA) or one-time password (OTP) codes via the Custom SMS API."}, {'type': 'paragraph', 'content': "Because of this improper certificate validation, an attacker can perform a man-in-the-middle (MITM) attack by intercepting the HTTPS request that contains the OTP code before it reaches the user's phone."}, {'type': 'paragraph', 'content': 'This allows the attacker to capture the OTP and use it to bypass MFA, potentially logging in as the user without their knowledge.'}] [1]

Impact Analysis

This vulnerability can lead to account takeover by allowing attackers to intercept OTP codes and bypass multi-factor authentication.

  • Attackers can silently access user accounts without the user receiving SMS notifications.
  • Privilege escalation is possible if administrative accounts are targeted, potentially compromising the entire system.

Overall, it undermines the security of the authentication process and can lead to unauthorized access and control over sensitive systems.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves interception of OTP codes sent via HTTPS requests to the Custom SMS API client in JumpServer versions prior to v4.10.16-lts due to improper certificate validation.

Detection would involve monitoring network traffic for suspicious man-in-the-middle (MITM) activity, such as unexpected or invalid SSL/TLS certificates presented during HTTPS connections to the SMS API endpoint.

Specific commands are not provided in the available resources, but general approaches include using network packet capture tools like tcpdump or Wireshark to inspect HTTPS traffic and verify certificate chains, or using tools like OpenSSL to test certificate validation against the SMS API server.

Mitigation Strategies

The primary mitigation step is to upgrade JumpServer to version v4.10.16-lts or later, where the improper certificate validation issue in the Custom SMS API client has been fixed.

Until the upgrade can be applied, ensure that network communications to the SMS API are protected from MITM attacks by enforcing strict SSL/TLS certificate validation and using network security controls such as firewalls and intrusion detection systems.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31798. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart