Platform
other
Component
jumpserver
Fixed in
4.10.17
CVE-2026-31798 is a medium-severity vulnerability affecting JumpServer versions prior to 4.10.16-lts. This vulnerability stems from improper certificate validation within the Custom SMS API Client, enabling attackers to intercept Multi-Factor Authentication (MFA) or One-Time Password (OTP) codes. Affected versions include those equal to or less than 4.10.16-lts. The vulnerability is resolved with an upgrade to version 4.10.16-lts.
The primary impact of CVE-2026-31798 is the potential for unauthorized access to JumpServer instances. An attacker exploiting this vulnerability can intercept MFA/OTP codes transmitted via the Custom SMS API. This interception allows the attacker to bypass the second factor of authentication, effectively gaining access to the system as a legitimate user. The blast radius is limited to users utilizing the Custom SMS API for MFA/OTP, but successful compromise could lead to full system control and data exfiltration. This vulnerability highlights the importance of secure API integrations and proper certificate validation.
This vulnerability was publicly disclosed on 2026-03-13. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the vulnerability's nature suggests it could be relatively easy to exploit given access to the network traffic. The CVSS score of 5 (Medium) reflects the potential impact and relatively low complexity of exploitation.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-31798 is to immediately upgrade JumpServer to version 4.10.16-lts or later. If upgrading is not immediately feasible, consider temporarily disabling the Custom SMS API Client to prevent further interception attempts. Review and audit all Custom SMS API Client configurations to ensure proper certificate validation is enforced. Monitor JumpServer logs for any suspicious activity related to SMS API usage. After upgrading, confirm the fix by attempting to trigger MFA/OTP via the Custom SMS API and verifying that the codes are not intercepted.
Update JumpServer to version 4.10.16-lts or higher. This version corrects the improper certificate validation in the Custom SMS API Client, preventing interception of MFA/OTP codes.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-31798 is a medium-severity vulnerability in JumpServer versions ≤ 4.10.16-lts where improper certificate validation in the Custom SMS API Client allows attackers to intercept MFA/OTP codes.
You are affected if you are using JumpServer version 4.10.16-lts or earlier and utilize the Custom SMS API Client for MFA/OTP.
Upgrade JumpServer to version 4.10.16-lts or later. Temporarily disable the Custom SMS API Client if immediate upgrade is not possible.
There is currently no indication of active exploitation, but the vulnerability's nature suggests it could be exploited.
Refer to the official JumpServer security advisories on their website or GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.