CVE-2026-9323
Received Received - Intake

Predictable Session ID in urwid Web Display Backend

Vulnerability report for CVE-2026-9323, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulnCheck

Description

The urwid web display backend (urwid/display/web.py) generates web session identifiers (urwid_id) in Screen.start() by concatenating two random.randrange(10**9) calls that use Python's Mersenne Twister PRNG, which is not cryptographically secure. Each call consumes approximately 30 bits of PRNG state, and the Mersenne Twister internal state is approximately 19,937 bits, so an attacker who observes approximately 334 session IDs (for example via the X-Urwid-ID HTTP response header) can fully reconstruct the internal state and predict all past and future session IDs (Path B). The same identifier is also used as the filename of a FIFO created in the world-listable /tmp directory (for example /tmp/urwid375487765176907690.in), so any local user on the host can list /tmp to enumerate active session tokens directly (Path A). With a valid session ID, an attacker can read the victim's terminal screen via the polling endpoint, inject keystrokes into the victim's session (yielding OS-level code execution with the session owner's privileges if the session runs a shell), and inject exit sequences or flood the FIFO to terminate or crash the session. A prior Bandit S311 warning on this usage was suppressed with # noqa: S311 rather than fixed

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
urwid urwid *
urwid urwid to 24acd12 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-9323 affects the urwid web display backend by generating weak session identifiers using Python's Mersenne Twister PRNG, which is not cryptographically secure. Attackers can predict session IDs by observing around 334 IDs, allowing them to reconstruct the PRNG state and predict all future sessions. Additionally, session IDs are stored as filenames in a world-readable /tmp directory, enabling local users to enumerate active tokens directly.

Detection Guidance

Check for world-readable FIFO files in /tmp with names like /tmp/urwid*.in. Use commands like 'ls -l /tmp/urwid*' or 'find /tmp -name "urwid*" -type p' to detect active sessions. Monitor HTTP response headers for X-Urwid-ID to observe session ID generation patterns.

Impact Analysis

With a valid session ID, an attacker can read your terminal screen, inject keystrokes (potentially leading to OS-level code execution if the session runs a shell), or terminate your session by flooding the FIFO. Local users on the host can also enumerate active session tokens directly from the /tmp directory.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive terminal sessions, potentially exposing personal data or protected health information. Under GDPR, this may constitute a data breach requiring notification to authorities and affected individuals. For HIPAA, it could violate safeguards for protected health information if session access allows unauthorized viewing or modification of medical data.

Mitigation Strategies

Upgrade urwid to a patched version (e.g., commit 24acd12 or later) that uses UUID4 or secrets.token_urlsafe(16) for session IDs. Remove or restrict access to /tmp/urwid* FIFO files. Disable the web display backend if not needed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9323. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart