Insecure Random Number Generation in Urwid Web Display Backend
CVE-2026-9323
9.2CRITICAL
What is CVE-2026-9323?
The Urwid web display backend improperly generates web session identifiers using a non-cryptographically secure random number generator (Mersenne Twister). This leads to potential session hijacking as attackers can reconstruct the internal state after observing a limited number of session IDs. Additionally, the generated session ID is used in a publicly accessible FIFO file, allowing local users to enumerate active sessions. Consequently, an attacker could gain unauthorized access to a user's terminal session, inject keystrokes, and even execute OS-level commands with the privileges of the legitimate user.
Affected Version(s)
urwid 0 <= 24acd12
