PT-2026-60967 · Pypi · Urwid

·

CVE-2026-9323

·

Published

2026-07-18

·

Updated

2026-07-18

CVSS v3.1

8.1

High

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions urwid (affected versions not specified)
Description The web display backend in urwid/display/web.py uses Python's Mersenne Twister PRNG to generate web session identifiers urwid id within the Screen.start() function. Because this PRNG is not cryptographically secure, an attacker observing approximately 334 session IDs, such as those found in the X-Urwid-ID HTTP response header, can reconstruct the internal state and predict all past and future session IDs. Additionally, these identifiers are used as filenames for FIFOs created in the world-listable /tmp directory, allowing any local user to enumerate active session tokens. A valid session ID enables an attacker to read the victim's terminal screen via the polling endpoint, inject keystrokes—potentially leading to OS-level code execution if a shell is running—or crash the session by flooding the FIFO.
Recommendations Update urwid to the release containing fix commit 24acd12. As a temporary mitigation, restrict access to the web display backend or avoid using it if not strictly necessary.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9323

Affected Products

Urwid