Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

The urwid web display backend generates session identifiers using Python's Mersenne Twister PRNG, which is not cryptographically secure. (CVE-2026-9323)

0
Critical
Published: 07/18/2026 (07/18/2026, 15:31:50 UTC)
Source: GCVE Database

Description

The urwid web display backend generates session identifiers using Python's Mersenne Twister PRNG, which is not cryptographically secure. An attacker who observes approximately 334 session IDs can reconstruct the internal PRNG state and predict all past and future session IDs. Session IDs are also used as filenames for FIFOs in the world-listable /tmp directory, allowing local users to enumerate active sessions. With a valid session ID, an attacker can read the victim's terminal screen, inject keystrokes to execute code with the victim's privileges, or disrupt the session. A prior security warning about this insecure PRNG usage was suppressed rather than fixed.

CVSS v4.0

Attack Vector
Network
Attack Complexity
High
Attack Requirements
Present
Privileges Required
None
User Interaction
None
Vuln. Confidentiality
High
Vuln. Integrity
High
Vuln. Availability
High
Subsq. Confidentiality
None
Subsq. Integrity
None
Subsq. Availability
None
Scope
X
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Affected software

urwid
pkg:pypi/urwid
Affected versions
*

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/18/2026, 16:21:13 UTC

Technical Analysis

The vulnerability in urwid's web display backend (urwid/display/web.py) arises from generating web session identifiers by concatenating two random.randrange(10**9) calls using Python's Mersenne Twister PRNG, which is not cryptographically secure. Each call consumes about 30 bits of PRNG state, and the full internal state is approximately 19,937 bits. Observing around 334 session IDs allows an attacker to reconstruct the PRNG state, enabling prediction of all past and future session IDs. Additionally, the session ID is used as the filename of a FIFO in the world-listable /tmp directory, allowing local users to enumerate active sessions. With a valid session ID, attackers can read terminal output, inject keystrokes to execute arbitrary code with the session owner's privileges, or disrupt the session by injecting exit sequences or flooding the FIFO. This issue was previously flagged by Bandit (S311) but was suppressed instead of remediated.

Potential Impact

An attacker who obtains or observes enough session IDs can fully reconstruct the PRNG state, allowing prediction of all session identifiers. This enables unauthorized access to active sessions, including reading terminal output and injecting keystrokes, potentially leading to OS-level code execution with the session owner's privileges. Local users can also enumerate active sessions by listing the /tmp directory. The vulnerability thus allows both remote and local privilege escalation and session hijacking, posing a critical security risk.

Mitigation Recommendations

No official patch or fix is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, restrict access to the /tmp directory to prevent local users from enumerating session FIFOs and avoid exposing session IDs in HTTP headers. Consider disabling or isolating the urwid web display backend in sensitive environments. Avoid relying on Python's Mersenne Twister PRNG for security-sensitive session identifiers.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-83x9-8wvq-rrcp
Osv Schema Version
1.4.0
Aliases
["CVE-2026-9323"]
Ecosystems
[]
Database Specific Severity
CRITICAL
Cvss Version
4.0

Threat ID: 6a5ba17c44ab8fbf7c789a74

Added to database: 07/18/2026, 15:53:32 UTC

Last enriched: 07/18/2026, 16:21:13 UTC

Last updated: 07/18/2026, 18:51:14 UTC

Views: 13

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses