Skip to main content

electerm EUVDEUVD-2026-32959

| CVE-2026-45787 MEDIUM
Inadequate Encryption Strength (CWE-326)
2026-05-14 https://github.com/electerm/electerm GHSA-g29v-q6h7-76wh
6.0
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
May 28, 2026 - 18:22 NVD
6.0 (MEDIUM)
Source Code Evidence Fetched
May 14, 2026 - 22:06 vuln.today
Analysis Generated
May 14, 2026 - 22:06 vuln.today
CVE Published
May 14, 2026 - 20:30 nvd
MEDIUM

DescriptionGitHub Advisory

Impact

_Insecure sync encryption: deterministic AES-192-CBC with a fixed zero IV, constant KDF salt, and no MAC leads to confidentiality and integrity failures for synced bookmark/profile data. Attackers can crack common passwords across installs and perform undetected ciphertext bit-flips to alter config/bookmarks._

Patches

  • https://github.com/electerm/electerm/commit/9dd8295e37d53396b980cd45dfc5ed11ad79b937

Workarounds

  • No

References

  • Report / credit: https://github.com/Curly-Haired-Baboon
  • Electerm releases: https://github.com/electerm/electerm/releases

AnalysisAI

electerm's sync encryption uses deterministic AES-192-CBC with a fixed zero IV, constant KDF salt, and no message authentication code, allowing attackers to crack common passwords across multiple installations and perform undetected bit-flip attacks on synced bookmark and profile data. Affects electerm versions prior to 3.9.5. No public exploit code identified at time of analysis, but the cryptographic weaknesses are fundamental and exploitable without specialized tooling.

Technical ContextAI

electerm is an npm package that implements profile and bookmark synchronization for terminal applications. The vulnerability stems from CWE-326 (inadequate encryption strength) in the sync encryption mechanism. The affected code uses AES-192-CBC mode with deterministic encryption: a fixed zero initialization vector (IV) means identical plaintext always produces identical ciphertext, enabling pattern analysis; a constant KDF (key derivation function) salt allows offline password cracking to be performed once and applied across all installations; the absence of a message authentication code (MAC) or authenticated encryption (AEAD) allows undetected modification of encrypted data through bit-flip attacks. This combination violates cryptographic best practices for confidentiality and integrity protection.

RemediationAI

Upgrade electerm to version 3.9.5 or later immediately. This patched version (https://github.com/electerm/electerm/commit/9dd8295e37d53396b980cd45dfc5ed11ad79b937) remediates the encryption flaws. Existing synced data encrypted with the vulnerable version should be considered potentially compromised; administrators should rotate any credentials or sensitive configuration data stored in bookmarks or profiles. No workarounds are available short of disabling the sync feature entirely, which would require forgoing synchronized bookmark and profile functionality. Users who have synced data with vulnerable versions should force a re-encryption and re-sync after upgrading.

Share

EUVD-2026-32959 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy