CVE-2026-47273
XPath Injection in pam_usb Prior to 0.9.0
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mcdope | pam_usb | to 0.9.0 (exc) |
| mcdope | pam_usb | From 0.8.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-91 | The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in pam_usb versions prior to 0.9.0, which provides hardware authentication for Linux using removable media. The issue arises because pam_usb builds XPath expressions from user-supplied identifiers (such as PAM username and service name) and device-supplied identifiers (like USB device serial, model, and vendor) without validating these inputs for XPath metacharacters. This lack of validation allows an attacker to inject arbitrary XPath predicates, potentially manipulating the authentication process.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-47273 in pam_usb allows XPath injection through unvalidated user and device identifiers, potentially enabling attackers to bypass authentication or impersonate devices.
Such unauthorized access or manipulation of authentication mechanisms could lead to unauthorized disclosure or modification of sensitive data, which may impact compliance with data protection regulations like GDPR or HIPAA that require strict access controls and protection of personal or health information.
By allowing attackers to bypass authentication, this vulnerability could undermine the integrity and confidentiality of systems handling regulated data, thereby increasing the risk of non-compliance with these standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves XPath injection through user-supplied or device-supplied identifiers in pam_usb prior to version 0.9.0. Detection involves checking if the pam_usb version in use is vulnerable and inspecting configuration or logs for suspicious XPath metacharacters in identifiers.
To detect if your system is vulnerable, first verify the installed pam_usb version:
- dpkg -l | grep pam_usb # On Debian-based systems
- rpm -qa | grep pam_usb # On RPM-based systems
If the version is earlier than 0.9.0, your system is vulnerable.
To detect potential exploitation attempts or suspicious identifiers containing XPath metacharacters (such as single quotes), you can search the pam_usb configuration file and logs for these characters:
- grep -n "['\"]" /etc/pamusb.conf
- grep -r "['\"]" /var/log/auth.log
Additionally, monitoring authentication failures or unusual device authentication behavior may help identify exploitation attempts.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to perform XPath injection attacks, which may lead to unauthorized access or manipulation of the authentication process. According to the CVSS v3.1 score, the vulnerability has a base score of 6.5, indicating a medium severity with low confidentiality impact, high integrity impact, and no availability impact. This means an attacker could potentially alter authentication data or bypass authentication controls, compromising system integrity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade pam_usb to version 0.9.0 or later, where the issue with XPath injection has been fixed.