CVE-2026-1063 is a command injection vulnerability identified in bastillion-io Bastillion, an open-source SSH key management system, affecting versions 4.0.0 and 4.0.1. The vulnerability resides in the Public Key Management System, specifically within the source file src/main/java/io/bastillion/manage/control/AuthKeysKtrl.java. Due to insufficient input validation or sanitization, an attacker can manipulate inputs to inject arbitrary commands that the system executes. This flaw can be exploited remotely without requiring user interaction or authentication, increasing the attack surface significantly. The vulnerability was disclosed publicly on January 17, 2026, but the vendor has not issued any patches or responses. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no authentication required (AT:N), no user interaction (UI:N), and partial impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The exploitability is rated as partially functional (E:P). Although no known exploits are currently active in the wild, the public disclosure increases the risk of exploitation. Bastillion is often deployed in enterprise environments to manage SSH keys, making this vulnerability critical in contexts where secure access to servers is essential. Successful exploitation could allow attackers to execute arbitrary commands on the Bastillion server, potentially leading to full system compromise, lateral movement, or disruption of SSH key management operations.

For European organizations, the impact of CVE-2026-1063 can be significant, especially for those relying on Bastillion for centralized SSH key management. Exploitation could lead to unauthorized command execution on the Bastillion server, compromising the confidentiality and integrity of SSH keys and associated credentials. This could facilitate further attacks such as unauthorized access to critical infrastructure, data exfiltration, or disruption of services dependent on SSH access. The availability of Bastillion services could also be affected, impacting operational continuity. Given the lack of vendor response and patches, organizations face an elevated risk window. Sectors such as finance, telecommunications, energy, and government agencies in Europe, which often use Bastillion or similar tools for secure access management, are particularly vulnerable. The ability to remotely exploit this vulnerability without authentication or user interaction increases the threat to remote and cloud-hosted Bastillion deployments common in European enterprises.

Until an official patch is released, European organizations should implement the following mitigations: 1) Restrict network access to Bastillion management interfaces using firewalls, VPNs, or zero-trust network segmentation to limit exposure to trusted administrators only. 2) Monitor Bastillion server logs and network traffic for unusual command execution patterns or unauthorized access attempts. 3) Employ application-layer firewalls or intrusion detection/prevention systems (IDS/IPS) to detect and block suspicious command injection payloads targeting the AuthKeysKtrl component. 4) Regularly audit and rotate SSH keys managed by Bastillion to minimize the impact of potential key compromise. 5) Consider deploying Bastillion in isolated environments or containers with minimal privileges to reduce the blast radius of a successful exploit. 6) Stay informed on vendor updates or community patches and plan for rapid deployment once available. 7) Evaluate alternative SSH key management solutions with active support if Bastillion usage is critical and no patch timeline is provided.