Skip to main content

Ghidra CVE-2026-52754

| EUVD-2026-36013 HIGH
Improper Verification of Cryptographic Signature (CWE-347)
2026-06-10 VulnCheck
Authentication Bypass Jwt Attack
8.7
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 10, 2026 - 14:33 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 10, 2026 - 14:33 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 10, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Jun 10, 2026 - 14:22 NVD
8.8 (HIGH) 8.7 (HIGH)
Source Code Evidence Fetched
Jun 10, 2026 - 14:08 vuln.today
Analysis Generated
Jun 10, 2026 - 14:08 vuln.today

DescriptionNVD

Ghidra before 12.1 contains an authentication bypass vulnerability in PKIAuthenticationModule.authenticate() that allows any user with a valid CA-signed certificate to impersonate other users by presenting their public certificate with a null signature. Attackers can escalate privileges, modify repository access controls, exfiltrate shared reverse engineering databases, and permanently compromise server integrity.

AnalysisAI

Authentication bypass in NSA Ghidra versions prior to 12.1 allows any holder of a valid CA-signed certificate to impersonate arbitrary users by submitting their public certificate alongside a null signature to PKIAuthenticationModule.authenticate(). Successful exploitation yields privilege escalation, tampering of repository access controls, exfiltration of shared reverse-engineering databases, and persistent compromise of the Ghidra server. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify exposed Ghidra/BSim server
Delivery
Obtain any CA-trusted client certificate
Exploit
Fetch target admin's public certificate
Install
Submit admin cert with null signature to PKIAuthenticationModule.authenticate()
C2
Gain impersonated admin session
Execute
Modify ACLs and exfiltrate repositories
Impact
Plant persistent backdoor in shared databases
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) network reachability to a Ghidra server with the PKIAuthenticationModule enabled - i.e. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.0 scores this 8.7 with vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H - network-reachable, low complexity, requires only low privileges (any valid CA-issued certificate), no user interaction, and full compromise of confidentiality, integrity, and availability of the vulnerable component. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds any certificate signed by a CA trusted by the target Ghidra server - for example a low-privileged developer cert or a leaked contractor cert - connects to the server and presents the public certificate of a Ghidra administrator together with a null cryptographic signature. PKIAuthenticationModule.authenticate() accepts the impersonation, granting the attacker admin-level access to modify repository ACLs, exfiltrate proprietary reverse-engineering project databases, and plant backdoors that survive the session. …
Remediation Vendor-released patch: upgrade to Ghidra 12.1 or later, which incorporates fixes from commits 78729379e471bbb3d969409be6a8c3d24af84220 and 79d8f164f8bb8b15cfb60c5d4faeb8e1c25d15ca that enforce proper signature verification in PKIAuthenticationModule.authenticate(). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Identify all Ghidra instances, document current versions, and review certificate authority configuration. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-44748 CRITICAL
9.9 Jun 09

Signed XML message tampering in SAP NetWeaver Application Server ABAP and ABAP Platform allows authenticated low-privile
CVE-2026-36721 CRITICAL
9.8 Jun 09

A lack of cryptographic signature verification in the validateAccessToken function of bookcars v8.3 allows attackers to

CVE-2026-41694 LOW
3.7 Jun 10

Decryption oracle exposure in Spring Security's SAML module allows unauthenticated remote attackers (PR:N, AV:N per CVSS
CVE-2026-47192 LOW
Jun 04

Late signature validation in Siemens kas (pip/kas >= 4.8, < 5.3) allows an attacker who has already compromised a refere

Share

CVE-2026-52754 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy