Skip to main content

Gobgp EUVDEUVD-2026-17139

| CVE-2026-5124 MEDIUM
Improper Access Control (CWE-284)
2026-03-30 VulDB
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 30, 2026 - 16:45 euvd
EUVD-2026-17139
Analysis Generated
Mar 30, 2026 - 16:45 vuln.today
Patch released
Mar 30, 2026 - 16:45 nvd
Patch available
CVE Published
Mar 30, 2026 - 16:15 nvd
MEDIUM 6.3

DescriptionCVE.org

A security vulnerability has been detected in osrg GoBGP up to 4.3.0. Affected is the function BGPHeader.DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component BGP Header Handler. The manipulation leads to improper access controls. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is told to be difficult. The identifier of the patch is f0f24a2a901cbf159260698211ab15c583ced131. To fix this issue, it is recommended to deploy a patch.

AnalysisAI

Improper access controls in osrg GoBGP up to version 4.3.0 allow remote attackers to bypass authentication via manipulation of the BGP Header Handler's DecodeFromBytes function. The vulnerability affects the BGP packet parsing mechanism and enables unauthorized modifications to BGP protocol state without requiring authentication. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment The CVSS vector (AV:N/AC:H/PR:N/UI:N) indicates remote attack vector without authentication, but high complexity significantly raises the barrier to exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the network sends crafted BGP packets with malformed headers to a GoBGP instance, exploiting the improper access control in DecodeFromBytes to bypass authentication checks. Due to high attack complexity, the attacker must have detailed knowledge of BGP protocol internals and packet structure, but once successful, may alter BGP routing state or negotiate unauthorized protocol parameters. …
Remediation Apply the upstream patch identified by commit f0f24a2a901cbf159260698211ab15c583ced131, available via GitHub PR #3340 at https://github.com/osrg/gobgp/pull/3340. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Debian

gobgp
Release Status Fixed Version Urgency
bullseye vulnerable 2.25.0-2 -
bookworm vulnerable 3.10.0-1 -
trixie vulnerable 3.36.0-2 -
forky, sid vulnerable 4.3.0-1 -
(unstable) fixed (unfixed) -

Share

EUVD-2026-17139 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy