Insecure Random Number Generation in Urwid Web Display Backend
CVE-2026-9323

9.2CRITICAL

Key Information:

Vendor

Urwid

Status
Vendor
CVE Published:
18 July 2026

What is CVE-2026-9323?

The Urwid web display backend improperly generates web session identifiers using a non-cryptographically secure random number generator (Mersenne Twister). This leads to potential session hijacking as attackers can reconstruct the internal state after observing a limited number of session IDs. Additionally, the generated session ID is used in a publicly accessible FIFO file, allowing local users to enumerate active sessions. Consequently, an attacker could gain unauthorized access to a user's terminal session, inject keystrokes, and even execute OS-level commands with the privileges of the legitimate user.

Affected Version(s)

urwid 0 <= 24acd12

References

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Katriel Moses
.