Description
In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm.
Published: 2026-05-05
Score: 3.4 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Paramiko, up to version 4.0.0 before the commit identified as a448945, includes code in rsakey.py that allows use of the SHA‑1 algorithm for RSA key handling. This weakness permits the use of an outdated hash function, undermining the strength of digitally signed operations. If an application relies on Paramiko for authentication or key verification, attackers could exploit the weaker SHA‑1 to forge signatures, potentially allowing unauthorized access or tampering. The CVE impact is limited to integrity and authenticity concerns rather than direct code execution.

Affected Systems

The affected product is Paramiko. All releases prior to version 4.0.0 released before the commit a448945 are impacted, including any distributions or applications that embed those versions.

Risk and Exploitability

The CVSS score of 3.4 indicates low risk. EPSS data is not available, so exploitation likelihood cannot be quantified exactly, but the vulnerability is typical of static cryptographic libraries and may be exploitable if the application accepts parametrized RSA keys. The vulnerability is not listed in CISA KEV, suggesting no confirmed widespread exploitation. Based on the description, it is inferred that attackers would need to supply RSA keys that rely on SHA‑1; thus the attack vector is likely through application usage of Paramiko for key processing or authentication.

Generated by OpenCVE AI on May 6, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Paramiko 4.0.0 or later that removes SHA‑1 usage (commit a448945).
  • Modify application logic to disable or reject RSA keys that use SHA‑1, enforcing stronger hash functions such as SHA‑256.
  • Audit any custom RSA key handling code within your application to ensure no SHA‑1 operations remain, and apply corrections if necessary.

Generated by OpenCVE AI on May 6, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 02:30:00 +0000

Type Values Removed Values Added
Title Paramiko RSA key handling allows SHA‑1 algorithm usage

Wed, 06 May 2026 00:15:00 +0000

Type Values Removed Values Added
Description In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm.
First Time appeared Paramiko
Paramiko paramiko
Weaknesses CWE-327
CPEs cpe:2.3:a:paramiko:paramiko:*:*:*:*:*:*:*:*
Vendors & Products Paramiko
Paramiko paramiko
References
Metrics cvssV3_1

{'score': 3.4, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N'}

Subscriptions

Paramiko Paramiko
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-05T23:55:03.332Z

Reserved: 2026-05-05T23:50:52.416Z

Link: CVE-2026-44405

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-06T00:16:04.883

Modified: 2026-05-06T00:16:04.883

Link: CVE-2026-44405

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T02:30:05Z

Weaknesses