The urwid web display backend generates session identifiers using Python's Mersenne Twister PRNG, which is not cryptographically secure. (CVE-2026-9323)
The urwid web display backend generates session identifiers using Python's Mersenne Twister PRNG, which is not cryptographically secure. An attacker who observes approximately 334 session IDs can reconstruct the internal PRNG state and predict all past and future session IDs. Session IDs are also used as filenames for FIFOs in the world-listable /tmp directory, allowing local users to enumerate active sessions. With a valid session ID, an attacker can read the victim's terminal screen, inject keystrokes to execute code with the victim's privileges, or disrupt the session. A prior security warning about this insecure PRNG usage was suppressed rather than fixed.
AI Analysis
Technical Summary
The vulnerability in urwid's web display backend (urwid/display/web.py) arises from generating web session identifiers by concatenating two random.randrange(10**9) calls using Python's Mersenne Twister PRNG, which is not cryptographically secure. Each call consumes about 30 bits of PRNG state, and the full internal state is approximately 19,937 bits. Observing around 334 session IDs allows an attacker to reconstruct the PRNG state, enabling prediction of all past and future session IDs. Additionally, the session ID is used as the filename of a FIFO in the world-listable /tmp directory, allowing local users to enumerate active sessions. With a valid session ID, attackers can read terminal output, inject keystrokes to execute arbitrary code with the session owner's privileges, or disrupt the session by injecting exit sequences or flooding the FIFO. This issue was previously flagged by Bandit (S311) but was suppressed instead of remediated.
Potential Impact
An attacker who obtains or observes enough session IDs can fully reconstruct the PRNG state, allowing prediction of all session identifiers. This enables unauthorized access to active sessions, including reading terminal output and injecting keystrokes, potentially leading to OS-level code execution with the session owner's privileges. Local users can also enumerate active sessions by listing the /tmp directory. The vulnerability thus allows both remote and local privilege escalation and session hijacking, posing a critical security risk.
Mitigation Recommendations
No official patch or fix is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, restrict access to the /tmp directory to prevent local users from enumerating session FIFOs and avoid exposing session IDs in HTTP headers. Consider disabling or isolating the urwid web display backend in sensitive environments. Avoid relying on Python's Mersenne Twister PRNG for security-sensitive session identifiers.
The urwid web display backend generates session identifiers using Python's Mersenne Twister PRNG, which is not cryptographically secure. (CVE-2026-9323)
Description
The urwid web display backend generates session identifiers using Python's Mersenne Twister PRNG, which is not cryptographically secure. An attacker who observes approximately 334 session IDs can reconstruct the internal PRNG state and predict all past and future session IDs. Session IDs are also used as filenames for FIFOs in the world-listable /tmp directory, allowing local users to enumerate active sessions. With a valid session ID, an attacker can read the victim's terminal screen, inject keystrokes to execute code with the victim's privileges, or disrupt the session. A prior security warning about this insecure PRNG usage was suppressed rather than fixed.
CVSS v4.0
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in urwid's web display backend (urwid/display/web.py) arises from generating web session identifiers by concatenating two random.randrange(10**9) calls using Python's Mersenne Twister PRNG, which is not cryptographically secure. Each call consumes about 30 bits of PRNG state, and the full internal state is approximately 19,937 bits. Observing around 334 session IDs allows an attacker to reconstruct the PRNG state, enabling prediction of all past and future session IDs. Additionally, the session ID is used as the filename of a FIFO in the world-listable /tmp directory, allowing local users to enumerate active sessions. With a valid session ID, attackers can read terminal output, inject keystrokes to execute arbitrary code with the session owner's privileges, or disrupt the session by injecting exit sequences or flooding the FIFO. This issue was previously flagged by Bandit (S311) but was suppressed instead of remediated.
Potential Impact
An attacker who obtains or observes enough session IDs can fully reconstruct the PRNG state, allowing prediction of all session identifiers. This enables unauthorized access to active sessions, including reading terminal output and injecting keystrokes, potentially leading to OS-level code execution with the session owner's privileges. Local users can also enumerate active sessions by listing the /tmp directory. The vulnerability thus allows both remote and local privilege escalation and session hijacking, posing a critical security risk.
Mitigation Recommendations
No official patch or fix is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, restrict access to the /tmp directory to prevent local users from enumerating session FIFOs and avoid exposing session IDs in HTTP headers. Consider disabling or isolating the urwid web display backend in sensitive environments. Avoid relying on Python's Mersenne Twister PRNG for security-sensitive session identifiers.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-83x9-8wvq-rrcp
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-9323"]
- Ecosystems
- []
- Database Specific Severity
- CRITICAL
- Cvss Version
- 4.0
Threat ID: 6a5ba17c44ab8fbf7c789a74
Added to database: 07/18/2026, 15:53:32 UTC
Last enriched: 07/18/2026, 16:21:13 UTC
Last updated: 07/18/2026, 18:51:14 UTC
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.