CVE-2026-32772
Analyzed Analyzed - Analysis Complete
Information Disclosure via NEW_ENVIRON in GNU inetutils Telnet

Publication date: 2026-03-16

Last updated on: 2026-05-05

Assigner: MITRE

Description
telnet in GNU inetutils through 2.7 allows servers to read arbitrary environment variables from clients via NEW_ENVIRON SEND USERVAR.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32772
EUVD
EUVD-2026-12154
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gnu inetutils to 2.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-669 The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32772 is a vulnerability in the telnet client of GNU inetutils version 2.7 and other Unix-like systems that allows a telnet server to read arbitrary environment variables from a connecting client. This happens through the use of the NEW-ENVIRON telnet option combined with the SEND USERVAR command, which requests environment variables from the client.

The vulnerability arises because the affected telnet clients unconditionally leak any requested environment variable without requiring the variable to be explicitly exported by the client. This means sensitive environment data can be exposed to a malicious telnet server.

The issue was reintroduced in some systems like Debian 12 when switching to inetutils telnet, and affects other systems such as FreeBSD, NetBSD, OpenBSD (partially), and Oracle Solaris. It can be exploited by tricking users into connecting to malicious telnet servers, for example via telnet:// URI links in browsers.

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can lead to the unintended disclosure of sensitive environment variables from a user's system to a malicious telnet server. Environment variables often contain sensitive information such as authentication tokens, configuration details, or other private data."}, {'type': 'paragraph', 'content': 'An attacker can exploit this by convincing a user to connect to a malicious telnet server, for example through a specially crafted telnet:// URI link or HTTP redirect. Once connected, the attacker can request and obtain arbitrary environment variables from the client.'}, {'type': 'paragraph', 'content': 'This exposure can compromise user privacy and security by leaking confidential information that could be used for further attacks or unauthorized access.'}] [1]

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by running a minimal telnet server that requests environment variables from connecting telnet clients using the NEW-ENVIRON SEND USERVAR telnet option.

A proof of concept program named envscraper.c is available which sets up a TCP server on localhost port 23232, accepts telnet client connections, and sends telnet negotiation commands to request specific environment variables.

By running this program and connecting with the telnet client, you can observe if the client leaks environment variables, indicating vulnerability.

Alternatively, you can monitor network traffic for telnet sessions that include the NEW-ENVIRON option with SEND ENV_USERVAR commands, which indicate attempts to read environment variables.

No specific standard commands are provided, but using the envscraper.c proof of concept or similar telnet server setups to test clients is the recommended detection method.

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32772. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart