Skip to content

chore(deps): update dependency cryptography to v46 [security]#1215

Open
renovatebotcpg[bot] wants to merge 1 commit into
devfrom
renovate/pypi-cryptography-vulnerability
Open

chore(deps): update dependency cryptography to v46 [security]#1215
renovatebotcpg[bot] wants to merge 1 commit into
devfrom
renovate/pypi-cryptography-vulnerability

Conversation

@renovatebotcpg

@renovatebotcpg renovatebotcpg Bot commented Feb 17, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
cryptography (changelog) project.dependencies major 44.0.146.0.5

cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves

CVE-2026-26007 / GHSA-r6ph-v2qm-q3c2

More information

Details

Vulnerability Summary

The public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_key() functions do not verify that the point belongs to the expected prime-order subgroup of the curve.

This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as S = [victim_private_key]P via ECDH, this leaks information about victim_private_key mod (small_subgroup_order). For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup.

Only SECT curves are impacted by this.

Credit

This vulnerability was discovered by:

  • XlabAI Team of Tencent Xuanwu Lab
  • Atuin Automated Vulnerability Discovery Engine

Severity

  • CVSS Score: 8.2 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

pyca/cryptography (cryptography)

v46.0.5

Compare Source

v46.0.4

Compare Source

v46.0.3

Compare Source

v46.0.2

Compare Source

v46.0.1

Compare Source

v46.0.0

Compare Source

v45.0.7

Compare Source

v45.0.6

Compare Source

v45.0.5

Compare Source

v45.0.4

Compare Source

v45.0.3

Compare Source

v45.0.2

Compare Source

v45.0.1

Compare Source

v45.0.0

Compare Source

v44.0.3

Compare Source

v44.0.2

Compare Source


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@renovatebotcpg renovatebotcpg Bot requested a review from a team as a code owner February 17, 2026 23:02
@github-actions

github-actions Bot commented Feb 17, 2026

Copy link
Copy Markdown

PR Checklist ✅

Have you checked the following?

  • Changes do not contain the names of any sensitive CPG projects
  • Tests cover any newly added code
  • There aren't any unnecessary autoformatting changes
  • Pull request description is appropriate for use as a commit message for squash commit

Check all boxes before merging.

@codecov

codecov Bot commented Feb 17, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.21%. Comparing base (5640c89) to head (79cad62).

Additional details and impacted files
@@           Coverage Diff           @@
##              dev    #1215   +/-   ##
=======================================
  Coverage   83.21%   83.21%           
=======================================
  Files         216      216           
  Lines       18949    18949           
=======================================
  Hits        15768    15768           
  Misses       3181     3181           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@violetbrina violetbrina left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this issue relates to us but it's worth keeping an eye on since we've also moved to Python 3.14.

Currently passing our unittests so I think it's fine but probably should wait to merge until after the postgres-migration containing the 3.14 change.

@dancoates since you're often working on metamist I'm assuming you'd like eyes on the chore PRs as well? Or are you ok with anyone from ST merging in upgrading dependency PRs?

@renovatebotcpg renovatebotcpg Bot changed the title chore(deps): update dependency cryptography to v46 [security] chore(deps): update dependency cryptography to v46 [security] - autoclosed Mar 27, 2026
@renovatebotcpg renovatebotcpg Bot closed this Mar 27, 2026
@renovatebotcpg renovatebotcpg Bot deleted the renovate/pypi-cryptography-vulnerability branch March 27, 2026 02:02
@renovatebotcpg renovatebotcpg Bot changed the title chore(deps): update dependency cryptography to v46 [security] - autoclosed chore(deps): update dependency cryptography to v46 [security] Mar 29, 2026
@renovatebotcpg renovatebotcpg Bot reopened this Mar 29, 2026
@renovatebotcpg renovatebotcpg Bot force-pushed the renovate/pypi-cryptography-vulnerability branch 2 times, most recently from 295cc1d to df6d061 Compare March 29, 2026 00:22
@renovatebotcpg renovatebotcpg Bot force-pushed the renovate/pypi-cryptography-vulnerability branch 3 times, most recently from 222ec60 to c91e152 Compare April 14, 2026 02:57
@renovatebotcpg renovatebotcpg Bot force-pushed the renovate/pypi-cryptography-vulnerability branch from c91e152 to be237d0 Compare April 26, 2026 00:28
@renovatebotcpg renovatebotcpg Bot force-pushed the renovate/pypi-cryptography-vulnerability branch from be237d0 to f120868 Compare May 10, 2026 00:33
@renovatebotcpg renovatebotcpg Bot changed the title chore(deps): update dependency cryptography to v46 [security] chore(deps): update dependency cryptography to v48 [security] Jun 5, 2026
@renovatebotcpg renovatebotcpg Bot force-pushed the renovate/pypi-cryptography-vulnerability branch 2 times, most recently from fa4aa64 to 01ca384 Compare June 5, 2026 04:53
@renovatebotcpg renovatebotcpg Bot changed the title chore(deps): update dependency cryptography to v48 [security] chore(deps): update dependency cryptography to v46 [security] Jun 7, 2026
@renovatebotcpg renovatebotcpg Bot force-pushed the renovate/pypi-cryptography-vulnerability branch 2 times, most recently from 2862f85 to fde7a4a Compare June 14, 2026 00:42
@renovatebotcpg renovatebotcpg Bot force-pushed the renovate/pypi-cryptography-vulnerability branch from fde7a4a to 12426e8 Compare June 25, 2026 05:10
@renovatebotcpg renovatebotcpg Bot force-pushed the renovate/pypi-cryptography-vulnerability branch 2 times, most recently from 6f3e43c to f1005e9 Compare July 3, 2026 05:23
@renovatebotcpg renovatebotcpg Bot force-pushed the renovate/pypi-cryptography-vulnerability branch from f1005e9 to 8b99953 Compare July 10, 2026 04:56
@renovatebotcpg renovatebotcpg Bot force-pushed the renovate/pypi-cryptography-vulnerability branch from 8b99953 to 79cad62 Compare July 10, 2026 06:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant