Search
Find a vulnerability
Search criteria
1 vulnerability found for InetUtils by gnu
GCVE-1-2026-0007 (CVE-2026-24061)
Vulnerability from gna-1 – Published: 2026-01-20 20:57 – Updated: 2026-01-26 16:32
VLAI
Title
GNU InetUtils Security Advisory: remote authentication by-pass in telnetd
Summary
The telnetd server invokes /usr/bin/login (normally running as root)
passing the value of the USER environment variable received from the
client as the last parameter.
If the client supply a carefully crafted USER environment value being
the string "-f root", and passes the telnet(1) -a or --login parameter
to send this USER environment to the server, the client will be
automatically logged in as root bypassing normal authentication
processes.
This happens because the telnetd server do not sanitize the USER
environment variable before passing it on to login(1), and login(1)
uses the -f parameter to by-pass normal authentication.
Severity: High
Vulnerable versions: GNU InetUtils since version 1.9.3 up to and
including version 2.7.
Severity
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://seclists.org/oss-sec/2026/q1/89 | vendor-advisory |
| https://codeberg.org/inetutils/inetutils/commit/f… | related |
Credits
Relationships
- related CVE-2007-0882
- related CVE-1999-0113
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "InetUtils",
"vendor": "gnu",
"versions": [
{
"lessThanOrEqual": "2.7",
"status": "affected",
"version": "1.9.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kyu Neushwaistein aka Carlos Cortes Alvarez"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Simon Josefsson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cpre\u003eThe telnetd server invokes /usr/bin/login (normally running as root)\npassing the value of the USER environment variable received from the\nclient as the last parameter.\n\nIf the client supply a carefully crafted USER environment value being\nthe string \"-f root\", and passes the telnet(1) -a or --login parameter\nto send this USER environment to the server, the client will be\nautomatically logged in as root bypassing normal authentication\nprocesses.\n\nThis happens because the telnetd server do not sanitize the USER\nenvironment variable before passing it on to login(1), and login(1)\nuses the -f parameter to by-pass normal authentication.\n\nSeverity: High\n\nVulnerable versions: GNU InetUtils since version 1.9.3 up to and\nincluding version 2.7.\u003c/pre\u003e\u003cbr\u003e"
}
],
"value": "The telnetd server invokes /usr/bin/login (normally running as root)\npassing the value of the USER environment variable received from the\nclient as the last parameter.\n\nIf the client supply a carefully crafted USER environment value being\nthe string \"-f root\", and passes the telnet(1) -a or --login parameter\nto send this USER environment to the server, the client will be\nautomatically logged in as root bypassing normal authentication\nprocesses.\n\nThis happens because the telnetd server do not sanitize the USER\nenvironment variable before passing it on to login(1), and login(1)\nuses the -f parameter to by-pass normal authentication.\n\nSeverity: High\n\nVulnerable versions: GNU InetUtils since version 1.9.3 up to and\nincluding version 2.7."
}
],
"impacts": [
{
"capecId": "CAPEC-13",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-13 Subverting Environment Variable Values"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://seclists.org/oss-sec/2026/q1/89"
},
{
"tags": [
"related"
],
"url": "https://codeberg.org/inetutils/inetutils/commit/fa3245ac8c288b87139a0da8249d0a408c4dfb87"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "GNU InetUtils Security Advisory: remote authentication by-pass in telnetd",
"x_gcve": [
{
"recordType": "advisory",
"relationships": [
{
"destId": "CVE-2007-0882",
"type": "related"
},
{
"destId": "CVE-1999-0113",
"type": "related"
}
],
"vulnId": "GCVE-1-2026-0007"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"cveId": "CVE-2026-24061",
"datePublished": "2026-01-20T20:57:00.000Z",
"dateUpdated": "2026-01-26T16:32:40.831364Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "GCVE-1-2026-0007",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2026-01-20T20:57:01.702747Z"
],
[
"cedric.bonhomme@circl.lu",
"2026-01-23T10:57:36.157223Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2026-01-26T16:26:04.438979Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2026-01-26T16:26:56.813944Z"
],
[
"alexandre.dulaunoy@circl.lu",
"2026-01-26T16:32:40.831364Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}