PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9323 urwid CVE debrief

The CVE record for CVE-2026-9323 was published on 2026-07-18T14:17:12.170Z and has not been modified since then. The NVD entry is currently Received. This vulnerability affects the urwid library, specifically the web display backend, which generates web session identifiers using Python's Mersenne Twister PRNG, a non-cryptographically secure method. An attacker can predict session IDs and enumerate active sessions, potentially leading to code execution. Users of the urwid library, particularly those using the web display backend, should be aware of this vulnerability and take steps to mitigate it.

Vendor
urwid
Product
Unknown
CVSS
CRITICAL 9.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-18
Original CVE updated
2026-07-18
Advisory published
2026-07-18
Advisory updated
2026-07-18

Who should care

Users of the urwid library, particularly those using the web display backend, should be aware of this vulnerability and take steps to mitigate it. This includes updating to the latest version of urwid, using a cryptographically secure PRNG for session ID generation, and implementing additional security measures to prevent session enumeration and code injection. System administrators and security teams responsible for systems using the urwid library should review and apply the necessary patches or mitigations.

Technical summary

The urwid web display backend generates web session identifiers using Python's Mersenne Twister PRNG, which is not cryptographically secure. An attacker can predict session IDs and enumerate active sessions, potentially leading to code execution. The Mersenne Twister PRNG used by Python's random module is not suitable for generating secure session IDs. This vulnerability allows an attacker to read the victim's terminal screen via the polling endpoint, inject keystrokes into the victim's session, and inject exit sequences or flood the FIFO to terminate or crash the session.

Defensive priority

High

Recommended defensive actions

  • Update to the latest version of urwid
  • Use a cryptographically secure PRNG for session ID generation
  • Implement additional security measures to prevent session enumeration and code injection
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The vulnerability is caused by the use of a non-cryptographically secure PRNG for session ID generation. The Mersenne Twister PRNG used by Python's random module is not suitable for generating secure session IDs. An attacker who observes approximately 334 session IDs can fully reconstruct the internal state and predict all past and future session IDs. The same identifier is also used as the filename of a FIFO created in the world-listable /tmp directory, allowing any local user on the host to list /tmp to enumerate active session tokens directly.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-18T14:17:12.170Z and has not been modified since then. The NVD entry is currently Received.