Description
PuTTY 0.77 before 0.84 uses a copy of the PuTTY icon as a trust indication for TELNET data but the trust status is not cleared between proxy authentication and the main session.
Published: 2026-05-25
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PuTTY versions 0.77 through 0.83 use an icon copy as a visual indicator of trust for Telnet traffic, but the trust state is not reset after a proxy authentication step. The bug means that Telnet data following proxy login may erroneously retain a trusted flag, potentially allowing an attacker to influence the client with data presumed trustworthy. The effect is limited to integrity and confidentiality of session data, and is reflected in the low CVSS score of 3.1.

Affected Systems

All users of PuTTY 0.77, 0.78, 0.79, 0.80, 0.81, 0.82, and 0.83 are impacted. The fix begins in release 0.84 and later.

Risk and Exploitability

The vulnerability scores a CVSS of 3.1 and has no EPSS data available; it is not listed in the CISA KEV catalog. Because the flaw is an internal trust flag that is not cleared, it would require an attacker to successfully manipulate a proxy session that then passes unverified Telnet data to the client. The current likelihood of exploitation is low, and the potential impact is moderate, with no known widespread active exploitation.

Generated by OpenCVE AI on May 25, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PuTTY to version 0.84 or later, which resets the trust indicator after proxy authentication
  • Verify that the proxy authentication process completes successfully before the main Telnet session starts
  • If an upgrade is not possible, disable or restrict the use of Telnet over proxies to mitigate the risk

Generated by OpenCVE AI on May 25, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 25 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Residual Trust Status Leak in PuTTY Telnet Sessions

Mon, 25 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description PuTTY 0.77 before 0.84 uses a copy of the PuTTY icon as a trust indication for TELNET data but the trust status is not cleared between proxy authentication and the main session.
First Time appeared Putty
Putty putty
Weaknesses CWE-451
CPEs cpe:2.3:a:putty:putty:*:*:*:*:*:*:*:*
Vendors & Products Putty
Putty putty
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Putty Putty
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-26T12:40:49.268Z

Reserved: 2026-05-25T20:16:30.998Z

Link: CVE-2026-48851

cve-icon Vulnrichment

Updated: 2026-05-26T12:40:45.994Z

cve-icon NVD

Status : Received

Published: 2026-05-25T21:16:35.400

Modified: 2026-05-25T21:16:35.400

Link: CVE-2026-48851

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T21:30:06Z

Weaknesses