CVE-2026-44405
Awaiting Analysis Awaiting Analysis - Queue
Remote Code Execution in Paramiko via SHA-1 Weakness

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: MITRE

Description
In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-44405
EUVD
EUVD-2026-27514
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
paramiko paramiko to a448945 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves the Paramiko library versions through 4.0.0 before a specific update (commit a448945) where the RSA key handling code (rsakey.py) allowed the use of the SHA-1 hashing algorithm.

SHA-1 is considered cryptographically weak and vulnerable to collision attacks, which can undermine the security of RSA signatures.

The vulnerability is that Paramiko continued to support SHA-1 for RSA signatures, which is no longer recommended due to its weaknesses.

Impact Analysis

The impact of this vulnerability is a reduced security level in cryptographic operations using Paramiko's RSA key handling.

Because SHA-1 is weak, attackers could potentially exploit this to forge RSA signatures or perform collision attacks, leading to compromised authentication or data integrity.

However, the CVSS score of 3.4 indicates a low severity, meaning the attack vector is limited (adjacent network), requires high complexity, and does not require privileges or user interaction.

Detection Guidance

This vulnerability involves the use of the SHA-1 algorithm in RSA key handling within the Paramiko library versions through 4.0.0 before commit a448945.

To detect if your system or network is affected, you can check the version of Paramiko installed and whether it uses SHA-1 for RSA signatures.

Suggested commands include:

  • Check Paramiko version: python -c "import paramiko; print(paramiko.__version__)"
  • Search for usage of SHA-1 in your code or dependencies: grep -r 'sha1' /path/to/your/project
  • If you have access to the Paramiko source or installed package, verify if the RSAKey class supports SHA-1 by inspecting relevant files or logs.
Mitigation Strategies

To mitigate this vulnerability, upgrade Paramiko to a version including commit a448945 or later, which removes SHA-1 support for RSA keys.

This update replaces SHA-1 with stronger SHA-2 variants (rsa-sha2-256 and rsa-sha2-512) for RSA signatures, improving security.

Note that this change is backwards incompatible for systems relying on legacy SHA-1 support, so verify compatibility before upgrading.

Compliance Impact

The vulnerability involves the use of the SHA-1 algorithm in RSA key handling within the Paramiko library. SHA-1 is considered cryptographically weak and deprecated by many security standards.

Continuing to use SHA-1 for cryptographic signatures can negatively impact compliance with common security standards and regulations such as GDPR and HIPAA, which require strong cryptographic protections to safeguard data integrity and confidentiality.

The removal of SHA-1 support in Paramiko (replaced by stronger SHA-2 variants) helps improve compliance posture by aligning with modern cryptographic best practices recommended by these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44405. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart