CVE-2026-44405
Remote Code Execution in Paramiko via SHA-1 Weakness
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| paramiko | paramiko | to a448945 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-327 | The product uses a broken or risky cryptographic algorithm or protocol. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the Paramiko library versions through 4.0.0 before a specific update (commit a448945) where the RSA key handling code (rsakey.py) allowed the use of the SHA-1 hashing algorithm.
SHA-1 is considered cryptographically weak and vulnerable to collision attacks, which can undermine the security of RSA signatures.
The vulnerability is that Paramiko continued to support SHA-1 for RSA signatures, which is no longer recommended due to its weaknesses.
How can this vulnerability impact me? :
The impact of this vulnerability is a reduced security level in cryptographic operations using Paramiko's RSA key handling.
Because SHA-1 is weak, attackers could potentially exploit this to forge RSA signatures or perform collision attacks, leading to compromised authentication or data integrity.
However, the CVSS score of 3.4 indicates a low severity, meaning the attack vector is limited (adjacent network), requires high complexity, and does not require privileges or user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the use of the SHA-1 algorithm in RSA key handling within the Paramiko library versions through 4.0.0 before commit a448945.
To detect if your system or network is affected, you can check the version of Paramiko installed and whether it uses SHA-1 for RSA signatures.
Suggested commands include:
- Check Paramiko version: python -c "import paramiko; print(paramiko.__version__)"
- Search for usage of SHA-1 in your code or dependencies: grep -r 'sha1' /path/to/your/project
- If you have access to the Paramiko source or installed package, verify if the RSAKey class supports SHA-1 by inspecting relevant files or logs.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Paramiko to a version including commit a448945 or later, which removes SHA-1 support for RSA keys.
This update replaces SHA-1 with stronger SHA-2 variants (rsa-sha2-256 and rsa-sha2-512) for RSA signatures, improving security.
Note that this change is backwards incompatible for systems relying on legacy SHA-1 support, so verify compatibility before upgrading.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves the use of the SHA-1 algorithm in RSA key handling within the Paramiko library. SHA-1 is considered cryptographically weak and deprecated by many security standards.
Continuing to use SHA-1 for cryptographic signatures can negatively impact compliance with common security standards and regulations such as GDPR and HIPAA, which require strong cryptographic protections to safeguard data integrity and confidentiality.
The removal of SHA-1 support in Paramiko (replaced by stronger SHA-2 variants) helps improve compliance posture by aligning with modern cryptographic best practices recommended by these standards.