PT-2026-32133 — Improper Verification of Cryptographic Signature in Pypi Openssl-Encrypt

PT-2026-32133 · Pypi · Openssl-Encrypt

Published

2026-04-01

Updated

2026-04-01

CVSS v4.0

6.6

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

Summary

The PublicKeyBundle.from dict() method in openssl encrypt/modules/key bundle.py at lines 329-361 creates bundles from untrusted data without verifying the signature. The docstring warns to call verify signature() after creation, but the to identity() method (line 363-391) can convert an unverified bundle directly to an Identity object.

Affected Code

python

@classmethod
def from dict(cls, data: Dict) -> "PublicKeyBundle":
  """
  SECURITY: Does NOT verify signature. Call verify signature() after creation.
  """
  # Creates bundle without verification

Impact

If from dict() followed by to identity() is called without an intervening verify signature() call, encryption could be performed against an attacker's public key, leaking secrets. While key resolver.py (lines 146-147) does verify before use, the unguarded API path remains directly callable.

Recommended Fix

Add a verified flag to PublicKeyBundle that must be set before to identity() can be called
Or have to identity() automatically call verify signature() and raise on failure
Or make from dict() require verification as part of construction

Fix

Fixed in commit f4a1ba6 on branch releases/1.4.x — from dict() now verifies self signature by default (verify=True parameter); raises ValueError on verification failure.

Fix

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347

Related Identifiers

GHSA-8H88-GXP3-J7PG

Affected Products

Openssl-Encrypt