CVE-2016-9639 Saltstack CVE debrief

Who should care

Administrators and security teams running Salt masters and minions, especially environments where minion IDs may be reused, hosts are rebuilt frequently, or caching and identity lifecycle controls are part of the operational model.

Technical summary

NVD maps this issue to CWE-284 (Improper Access Control) and rates it CVSS 3.0 9.1 Critical. The vulnerable range is Salt versions up to and including 2015.8.10. The core failure is that cached authorization or identity state could persist after a minion was deleted, allowing a later minion with the same ID to inherit access that should no longer exist. The CVE references Salt documentation for rotating the AES key as part of the vendor guidance context.

Defensive priority

Immediate. This is network-reachable, requires no user interaction, and can affect confidentiality and integrity. Systems still on affected Salt releases should be prioritized for upgrade and configuration review.

Recommended defensive actions

• Upgrade Salt to 2015.8.11 or later.
• Audit environments for minion ID reuse, especially after rebuilds, deprovisioning, or cloning.
• Review master-side caching and access-control behavior for stale identity state.
• Follow the vendor guidance referenced by NVD, including Salt master configuration documentation related to rotating the AES key.
• Check whether any automation, orchestration, or secrets distribution workflows depend on assumptions about persistent minion identity.

Evidence notes

All statements here are grounded in the supplied CVE and NVD metadata: the issue description says deleted minions can read or write to minions with the same ID and ties the behavior to caching; NVD marks the vulnerability as affecting Salt through 2015.8.10 and assigns CWE-284 with CVSS 3.0 9.1 Critical. The published date used for context is 2017-02-07, and the 2026-05-13 timestamp reflects record modification, not the vulnerability date.

Official resources