Description
In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm.
Published: 2026-05-05
Score: 3.4 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Paramiko, up to version 4.0.0 before the commit identified as a448945, includes code in rsakey.py that allows use of the SHA‑1 algorithm for RSA key handling. This weakness permits the use of an outdated hash function, undermining the strength of digitally signed operations. If an application relies on Paramiko for authentication or key verification, attackers could exploit the weaker SHA‑1 to forge signatures, potentially allowing unauthorized access or tampering. The CVE impact is limited to integrity and authenticity concerns rather than direct code execution.

Affected Systems

The affected product is Paramiko. All releases prior to version 4.0.0 released before the commit a448945 are impacted, including any distributions or applications that embed those versions.

Risk and Exploitability

The CVSS score of 3.4 indicates low risk. The EPSS score of < 1 % suggests a very low probability of exploitation, and the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation. This weakness is typical of static cryptographic libraries and may be exploitable if the application accepts parametrized RSA keys. Based on the description, it is inferred that attackers would need to supply RSA keys that use SHA‑1, so the attack vector is likely through application usage of Paramiko for key processing or authentication.

Generated by OpenCVE AI on May 6, 2026 at 17:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Paramiko 4.0.0 or later that removes SHA‑1 usage (commit a448945).
  • Modify application logic to detect and reject RSA keys that use SHA‑1, enforcing stronger hash functions such as SHA‑256, addressing both CWE‑327 and CWE‑328.
  • Audit any custom RSA key handling code within your application to ensure no SHA‑1 operations remain, and apply corrections if necessary.
  • Verify that no RSA private keys were generated with SHA‑1 and replace them with stronger algorithms to fully mitigate CWE‑328.

Generated by OpenCVE AI on May 6, 2026 at 17:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r374-rxx8-8654 Paramiko rsakey.py allows the SHA-1 algorithm
History

Wed, 06 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Title Paramiko RSA key handling allows SHA‑1 algorithm usage paramiko: Paramiko: Data integrity could be compromised due to SHA-1 algorithm use
Weaknesses CWE-328
References
Metrics threat_severity

None

 threat_severity

Low

Wed, 06 May 2026 02:30:00 +0000

Type Values Removed Values Added
Title Paramiko RSA key handling allows SHA‑1 algorithm usage

Wed, 06 May 2026 00:15:00 +0000

Type Values Removed Values Added
Description In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm.
First Time appeared Paramiko
Paramiko paramiko
Weaknesses CWE-327
CPEs cpe:2.3:a:paramiko:paramiko:*:*:*:*:*:*:*:*
Vendors & Products Paramiko
Paramiko paramiko
References
Metrics cvssV3_1

{'score': 3.4, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N'}

Subscriptions

Paramiko Paramiko
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-06T12:54:17.468Z

Reserved: 2026-05-05T23:50:52.416Z

Link: CVE-2026-44405

cve-icon Vulnrichment

Updated: 2026-05-06T12:54:12.411Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T00:16:04.883

Modified: 2026-05-07T15:53:49.717

Link: CVE-2026-44405

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-05T23:50:52Z

Links: CVE-2026-44405 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T17:15:08Z

Weaknesses