Description
openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. Versions 2.3.2 and above are vulnerable to symlink-following when running in privileged contexts. A token-group user can redirect file operations to arbitrary filesystem targets by planting symlinks in group-writable token directories, resulting in privilege escalation or data exposure. Token and lock directories are 0770 (group-writable for token users), so any token-group member can plant files and symlinks inside them. When run as root, the base code handling token directory file access, as well as several openCryptoki tools used for administrative purposes, may reset ownership or permissions on existing files inside the token directories. An attacker with token-group membership can exploit the system when an administrator runs a PKCS#11 application or administrative tool that performs chown on files inside the token directory during normal maintenance. This issue is fixed in commit 5e6e4b4, but has not been included in a released version at the time of publication.
Published: 2026-01-22
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch
AI Analysis

Impact

openCryptoki's token directory file operations resolve symbolic links when executing as a privileged user. A token‑group member can place symlinks that redirect file operations to arbitrary filesystem targets. This flaw allows the attacker to create or modify files with root ownership or change permissions on arbitrary files, leading to privilege escalation or data exposure.

Affected Systems

The issue affects the openCryptoki PKCS#11 library and its administrative tools on Linux and AIX for all releases 2.3.2 and newer.

Risk and Exploitability

The CVSS score of 6.8 and EPSS <1% suggest moderate severity but overall low exploitation probability. The vulnerability requires a token‑group user having write access to token directories, then the presence of an administrator running a maintenance operation such as chown on files inside the token directory while running as root. The flaw is local and is not currently listed in the CISA KEV catalog, indicating limited active exploitation.

Generated by OpenCVE AI on April 18, 2026 at 18:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security fix from commit 5e6e4b4; rebuild and deploy openCryptoki from source or use an updated release once available, ensuring the patched version is used for all trusted PKCS#11 operations.
  • Restrict write access to token and lock directories by setting permissions to 0700 or removing group write permission; ensure only root and the daemon process have access to these directories.
  • Remove any symbolic links from token directories and clean up existing symlinks, mitigating the CWE‑59 path‑resolution flaw; verify that no token‑group user can create new symlinks in these directories by reviewing ACLs or applying a stricter policy.

Generated by OpenCVE AI on April 18, 2026 at 18:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:opencryptoki_project:opencryptoki:*:*:*:*:*:*:*:*

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Opencryptoki Project
Opencryptoki Project opencryptoki
Vendors & Products Opencryptoki Project
Opencryptoki Project opencryptoki

Fri, 23 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 00:45:00 +0000

Type Values Removed Values Added
Description openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. Versions 2.3.2 and above are vulnerable to symlink-following when running in privileged contexts. A token-group user can redirect file operations to arbitrary filesystem targets by planting symlinks in group-writable token directories, resulting in privilege escalation or data exposure. Token and lock directories are 0770 (group-writable for token users), so any token-group member can plant files and symlinks inside them. When run as root, the base code handling token directory file access, as well as several openCryptoki tools used for administrative purposes, may reset ownership or permissions on existing files inside the token directories. An attacker with token-group membership can exploit the system when an administrator runs a PKCS#11 application or administrative tool that performs chown on files inside the token directory during normal maintenance. This issue is fixed in commit 5e6e4b4, but has not been included in a released version at the time of publication.
Title openCryptoki has improper link resolution before file access (link following)
Weaknesses CWE-59
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L'}

Subscriptions

Opencryptoki Project Opencryptoki
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-22T21:52:09.433Z

Reserved: 2026-01-16T21:02:02.902Z

Link: CVE-2026-23893

cve-icon Vulnrichment

Updated: 2026-01-22T21:52:02.747Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T01:15:52.310

Modified: 2026-03-06T20:00:01.213

Link: CVE-2026-23893

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-22T00:01:43Z

Links: CVE-2026-23893 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:00:08Z

Weaknesses