VIR Vulnerability Intelligence Relay

CVE-2026-44347

medium
Published 2026-05-12 · Modified 2026-05-14
CVSS v3
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVSS v2
VIR risk
6.5

Description

Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux. Prior to 0.23.3, the SSO flow does not validate the state parameter, which makes it possible for an attacker to trick a user into logging into the attacker's account, possibly convincing them to perform sensitive actions on the attacker's account (such as writing sensitive data to the attacker's SSH target, or logging into an HTTP target that the attacker set up). This vulnerability is fixed in 0.23.3.

Predictions

Exploit likelihood
75%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/warp-tech/warpgate/security/advisories/GHSA-rj86-hm3r-c275

Application impact
VendorProductVersionsFixed
warpgate_projectwarpgate0.23.2

References

CWEs

CWE-352

Verify integrity in audit chain (admin only). AS-IS.