CVE-2026-31798 | THREATINT

Description

JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v4.10.16-lts, JumpServer improperly validates certificates in the Custom SMS API Client. When JumpServer sends MFA/OTP codes via Custom SMS API, an attacker can intercept the request and capture the verification code BEFORE it reaches the user's phone. This vulnerability is fixed in v4.10.16-lts.

PUBLISHED Reserved 2026-03-09 | Published 2026-03-13 | Updated 2026-03-13 | Assigner GitHub_M

MEDIUM: 5.0CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

Problem types

CWE-295: Improper Certificate Validation

Product status

< 4.10.16-lts

affected

References

github.com/...server/security/advisories/GHSA-26pj-mmxw-w3w7

cve.org (CVE-2026-31798)

nvd.nist.gov (CVE-2026-31798)

Download JSON