CVE-2026-38974
Received Received - Intake

Dulwich Missing SSH Host Key Verification

Vulnerability report for CVE-2026-38974, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: MITRE

Description

Dulwich through 1.1.0 was found to be missing SSH host key verification in contrib/paramiko_vendor.py.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Dulwich through version 1.1.0 lacks SSH host key verification in the contrib/paramiko_vendor.py file. This means it does not properly validate the authenticity of SSH servers during connections, potentially allowing man-in-the-middle attacks where an attacker could intercept or alter communications.

Impact Analysis

This vulnerability could allow attackers to impersonate SSH servers and intercept or modify data transmitted between your system and the server. This may lead to unauthorized access to sensitive information, code execution, or further compromise of your systems.

Compliance Impact

This vulnerability could violate compliance requirements that mandate secure communication channels, such as GDPR's data protection principles or HIPAA's safeguards for protected health information. Failure to verify SSH host keys may result in non-compliance due to the risk of data interception or tampering.

Mitigation Strategies

Update Dulwich to a version beyond 1.1.0 where SSH host key verification is properly implemented. Review contrib/paramiko_vendor.py for missing host key checks and ensure SSH connections enforce host key verification.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-38974. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart