Cryptographic Flaw in Python's Cryptography Package Could Impact Security
CVE-2026-26007

8.2HIGH

Key Information:

Vendor: Pyca
Status: Cryptography
Vendor: CVE Published:; 10 February 2026

What is CVE-2026-26007?

The Python 'cryptography' package contains a significant flaw that affects public key functions prior to version 46.0.5. Specifically, the functions 'public_key_from_numbers', 'EllipticCurvePublicNumbers.public_key', 'load_der_public_key', and 'load_pem_public_key' fail to ensure that the provided public key points belong to the expected prime-order subgroup of the elliptic curve. This oversight allows attackers to introduce public keys from small-order subgroups, which could lead to vulnerabilities in essential cryptographic operations like ECDSA signature verification and ECDH key agreement. As a result, when a victim calculates a shared secret using a weak public key, it may expose critical parts of their private key, particularly in the least significant bits. This risk is notably present for SECT curves, making it imperative for users to upgrade to version 46.0.5 or later to mitigate these security concerns.

Affected Version(s)

cryptography < 46.0.5

References

https://github.com/pyca/cryptography/security/advisories/...

x_refsource_CONFIRM

https://github.com/pyca/cryptography/commit/0eebb9dbb6343...

x_refsource_MISC

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 10, 2026
Vulnerability Reserved
Feb 9, 2026

CVE-2026-26007 Data

JSON

Pyca

What is CVE-2026-26007?

Affected Version(s)

References

CVSS V4

Timeline