Description
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb builds XPath expressions from user-supplied identifiers (PAM username, service name) and device-supplied identifiers (USB device serial, model, vendor) to query /etc/pamusb.conf. These identifiers were not validated for XPath metacharacters, allowing injection of arbitrary XPath predicates. This vulnerability is fixed in 0.9.0.
Published: 2026-05-27
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

pam_usb constructs XPath queries from user supplied identifiers such as the PAM username, service name, and USB device properties. These values were not sanitized for XPath metacharacters, enabling an attacker to inject arbitrary XPath predicates into the query that evaluates the local configuration file /etc/pamusb.conf. The injected predicates could manipulate the query logic and allow the attacker to retrieve sensitive configuration data or otherwise influence authentication behavior. The vulnerability demonstrates a classic XPath injection weakness (CWE‑91).

Affected Systems

The affected product is pam_usb from the mcdope project. Versions before 0.9.0 are vulnerable; version 0.9.0 and later contain the fix.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity level. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local: an attacker who can influence the PAM username, service name, or USB device identifiers can exploit the injection during an authentication attempt. While no public exploit is reported, the moderate CVSS indicates that if an attacker can provide crafted input, they could potentially read configuration details that may aid further attacks. The fix is available in version 0.9.0; updating to that release mitigates the issue.

Generated by OpenCVE AI on May 27, 2026 at 21:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pam_usb to version 0.9.0 or later to apply the XPath injection fix.
  • If an immediate upgrade is not possible, constrain the PAM services that invoke pam_usb and enforce that usernames, service names, and USB device identifiers contain only safe characters (e.g., alphanumerics).
  • Audit /etc/pamusb.conf and verify that no unintended identifiers or malicious USB devices have been added; consider disabling pam_usb in environments where local USB authentication is not required.

Generated by OpenCVE AI on May 27, 2026 at 21:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb builds XPath expressions from user-supplied identifiers (PAM username, service name) and device-supplied identifiers (USB device serial, model, vendor) to query /etc/pamusb.conf. These identifiers were not validated for XPath metacharacters, allowing injection of arbitrary XPath predicates. This vulnerability is fixed in 0.9.0.
Title pam_usb: XPath injection via PAM-supplied identifiers in pam_usb configuration queries
Weaknesses CWE-91
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T20:03:39.297Z

Reserved: 2026-05-18T23:03:37.230Z

Link: CVE-2026-47273

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-27T20:16:39.880

Modified: 2026-05-27T20:16:39.880

Link: CVE-2026-47273

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T22:00:17Z

Weaknesses