cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves
RSS Feed
HIGH
GHSA-r6ph-v2qm-q3c2
CVE-2026-26007
Description:
Vulnerability Summary
The public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_key() functions do not verify that the point belongs to the expected prime-order subgroup of the curve.
This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as S = [victim_private_key]P via ECDH, this leaks information about victim_private_key mod (small_subgroup_order). For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup.
Only SECT curves are impacted by this.
Credit
This vulnerability was discovered by:
- XlabAI Team of Tencent Xuanwu Lab
- Atuin Automated Vulnerability Discovery Engine
Affected Packages
| Ecosystem | Package | Vulnerable Versions | Patched Version |
|---|---|---|---|
| pypi |
cryptography
|
<= 46.0.4 |
46.0.5
|
Bump the uv group across 1 directory with 8 updates
Open 4 days ago
GlacierEQ/graphiti #2
pip:python-multipart
pip:urllib3
+6 more
build(deps): bump the uv group across 1 directory with 6 updates
Open 4 days ago
GlacierEQ/langflow #40
pip:cryptography
pip:requests
+4 more
Bump the uv group across 1 directory with 7 updates
Open 5 days ago
GlacierEQ/code-graph-mcp #2
pip:black
pip:python-multipart
+5 more
build(deps): bump the uv group across 1 directory with 10 updates
Open 5 days ago
GlacierEQ/bigcases2 #2
pip:django
pip:urllib3
+8 more
Bump the pip group across 1 directory with 6 updates
Open 5 days ago
MTES-MCT/apilos #2165
pip:setuptools
pip:lxml
+4 more
chore(deps): bump the pip group across 2 directories with 7 updates
Closed 7 days ago
pilotwaffle/TORQ-CONSOLE #167
pip:django
pip:jinja2
+5 more
Bump the pip group across 4 directories with 7 updates
Closed 10 days ago
XavierMP14/uv #16
pip:uv
pip:cryptography
+5 more
chore(deps): bump the uv group across 3 directories with 8 updates
Closed 11 days ago
AKJUS/semgrep #204
pip:protobuf
pip:python-multipart
+4 more
Bump the pip group across 3 directories with 9 updates
Closed 12 days ago
nssuwan186-dev/uv #15
pip:setuptools
pip:jinja2
+4 more
Bump cryptography from 45.0.4 to 46.0.7
Closed 14 days ago
Velocidex/pyvelociraptor #38
pip:cryptography
Bump the uv group across 1 directory with 5 updates
Open 16 days ago
jayvicsanantonio/blender-mcp #2
pip:h11
pip:cryptography
+3 more
Bump cryptography from 44.0.2 to 46.0.7
Closed 17 days ago
hawkli-1994/CF-Ares #16
pip:cryptography
chore(deps): bump the uv group across 4 directories with 10 updates
Open 17 days ago
langwatch/langwatch #3684
pip:tornado
pip:python-multipart
+5 more
chore(deps): bump the uv group across 4 directories with 12 updates
Closed 17 days ago
langwatch/langwatch #3677
pip:tornado
pip:python-multipart
+7 more
chore(deps): bump the uv group across 3 directories with 6 updates
Open 17 days ago
langwatch/langwatch #3676
pip:tornado
pip:cryptography
+4 more
chore(deps): bump the uv group across 4 directories with 13 updates
Open 17 days ago
langwatch/langwatch #3672
pip:tornado
pip:python-multipart
+8 more
build(deps): bump cryptography from 45.0.4 to 46.0.7
Closed 17 days ago
danielsimonjr/Windows-mcp #8
pip:cryptography
chore(deps): bump the uv group across 1 directory with 3 updates
Closed 18 days ago
langwatch/langwatch #3649
pip:black
pip:cryptography
+1 more
build(deps): bump cryptography from 46.0.4 to 46.0.7 in /backend
Closed 19 days ago
tresor-del/esat_hub #20
pip:cryptography
chore(deps): bump cryptography from 45.0.4 to 46.0.7 in /rs/rosetta-api/examples/icrc1/python
Open 20 days ago
alialobidm/ic #3
pip:cryptography
Bump cryptography from 1.7.2 to 46.0.7
Open 22 days ago
bvolpato/superset #1
pip:cryptography
chore(deps): bump cryptography from 45.0.4 to 46.0.7
Open 22 days ago
bvolpato/mcp-atlassian #1
pip:cryptography
Bump the pip group across 1 directory with 5 updates
Open 23 days ago
edwardtheharris/dotfiles #457
pip:urllib3
pip:cryptography
+3 more
Bump the pip group across 2 directories with 3 updates
Open 24 days ago
fitanon/square-notion-sync #9
pip:cryptography
pip:requests
+1 more
chore(deps): bump the uv group across 2 directories with 5 updates
Closed 24 days ago
Project-Tick/Project-Tick #35
pip:urllib3
pip:cryptography
+3 more
chore(deps): Bump cryptography from 43.0.3 to 46.0.7 in /apps/myrestaurantreviews/backend
Open 25 days ago
jykwon91/MyFreeApps #17
pip:cryptography
chore: bump the python-minor-patch group across 2 directories with 20 updates
Open 25 days ago
ianlasic03/open-wearables-demo #15
pip:boto3
pip:fastapi
+17 more
chore(deps): update cryptography requirement from <47.0.0,>=44.0.3 to >=46.0.7,<47.0.0
Closed 25 days ago
bybatkhuu/module-python-utils #38
pip:cryptography
deps(deps): update cryptography requirement from >=41.0 to >=46.0.7
Open 26 days ago
Scottcjn/Rustchain #2652
pip:cryptography
chore(deps): bump the uv group across 3 directories with 8 updates
Open 26 days ago
AKJUS/semgrep #197
pip:protobuf
pip:python-multipart
+4 more
chore(deps): update cryptography requirement from >=42.0.0 to >=46.0.7
Open 27 days ago
ariffazil/arifOS #346
pip:cryptography
build(deps): bump the pip group across 12 directories with 7 updates
Open 27 days ago
jfkmsp/checkmk #78
pip:black
pip:python-multipart
+4 more
Bump the uv group across 10 directories with 7 updates
Open 27 days ago
SherfeyInv/unstract #175
pip:pytest
pip:cryptography
+4 more
chore(deps): bump the pip group across 14 directories with 10 updates
Closed 27 days ago
trademomentumllc/ihep-application #16
pip:google-cloud-aiplatform
pip:pytest
+3 more
chore(deps): bump cryptography from 41.0.7 to 46.0.7
Closed 27 days ago
MoKangMedical/biostats- #6
pip:cryptography
build(deps): bump the uv group across 3 directories with 9 updates
Closed 28 days ago
aws/deep-learning-containers #5978
pip:jinja2
pip:werkzeug
+7 more
deps: Update cryptography requirement from <43.0,>=41.0 to >=41.0,<47.0
Open 28 days ago
SandRiseStudio/amprealize-enterprise #25
pip:cryptography
chore(deps): Update cryptography requirement from >=44.0.0 to >=46.0.7 in /backend/pipelines/svineflytning_pipeline
Open 28 days ago
Klimabevaegelsen/landbruget.dk #1034
pip:cryptography
build(deps): Update cryptography requirement from <44.0,>=42.0 to >=42.0,<47.0 in /components/update-agent
Closed 28 days ago
singleaxis/singleaxis-fabric #6
pip:cryptography
chore(deps): bump cryptography from 46.0.3 to 46.0.7 in /backend
Closed 28 days ago
DiscSecOps/DiscSecOps #152
pip:cryptography
build(deps): bump the python-minor-patch group across 1 directory with 43 updates
Closed 30 days ago
wandile0157/smartdoc-ai-backend #4
pip:regex
pip:jinja2
+41 more
build(deps): bump the pip group across 1 directory with 5 updates
Open about 1 month ago
jonasspezia/unstructured #3
pip:cryptography
pip:sentencepiece
+3 more
build(deps): bump the pip group across 1 directory with 4 updates
Closed about 1 month ago
rajeevrajora77-lab/AION-v1 #57
pip:python-multipart
pip:cryptography
+2 more
Bump the uv group across 8 directories with 9 updates
Open about 1 month ago
SherfeyInv/unstract #173
pip:werkzeug
pip:protobuf
+6 more
chore(deps): bump the pip group across 1 directory with 14 updates
Closed about 1 month ago
Open-Earth-Foundation/CityCatalyst #2499
pip:uv
pip:python-multipart
+12 more
chore(deps): bump the uv group across 15 directories with 9 updates
Open about 1 month ago
bobdavis84/a2a-samples #53
pip:litellm
pip:python-multipart
+5 more
chore(deps): bump the uv group across 2 directories with 10 updates
Closed about 1 month ago
markevanrozeboom/agents-at-scale-ark #28
pip:black
pip:requests
+4 more
chore: bump the python-minor-patch group across 2 directories with 19 updates
Open about 1 month ago
ianlasic03/open-wearables-demo #5
pip:boto3
pip:fastapi
+17 more
Bump the uv group across 7 directories with 9 updates
Open about 1 month ago
SherfeyInv/unstract #170
pip:werkzeug
pip:protobuf
+6 more
Bump the uv group across 11 directories with 10 updates
Open about 1 month ago
SherfeyInv/unstract #169
pip:werkzeug
pip:protobuf
+7 more
Actions
Advisory Details
| Published: | February 10, 2026 3 months ago |
| Updated: | May 06, 2026 13 days ago |
| CVSS Score: | 8.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
| EPSS: | 0.01% 1th percentile |
| Source: | Github |
| Classification: | GENERAL |
| UUID: | GSA_kwCzR0hTQS1yNnBoLXYycW0tcTNjMs4ABSLs |
PR Statistics
PR Status
Open
563 (38.8%)
Merged
0 (0.0%)
Closed
887 (61.2%)
Update Types
Major
901 (28.3%)
Minor
768 (24.1%)
Patch
1428 (44.8%)
References
- https://github.com/pyca/cryptography/security/advisories/GHSA-r6ph-v2qm-q3c2
- https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c
- https://github.com/pyca/cryptography/releases/tag/46.0.5
- https://nvd.nist.gov/vuln/detail/CVE-2026-26007
- http://www.openwall.com/lists/oss-security/2026/02/10/4
- https://github.com/advisories/GHSA-r6ph-v2qm-q3c2