Listen to this Post
The vulnerability in Salt stems from an authentication protocol version downgrade weakness. Salt uses a protocol for minions to authenticate with the master, where versions indicate security features. In affected versions, the master allows minions to use older protocol versions during authentication, even when both support newer ones. A malicious minion can craft an authentication request with an older payload format, deliberately downgrading the protocol version. This triggers the use of deprecated authentication methods that lack security enhancements introduced in later versions. For example, newer versions may have added stronger encryption or signature checks to prevent impersonation. By downgrading, the minion bypasses these protections. The master fails to enforce the highest mutual protocol version, accepting the older request. This allows the minion to impersonate another legitimate minion by exploiting weaker authentication mechanisms. The attack occurs during the initial handshake, where version negotiation is not properly validated. Consequently, an attacker can mimic any minion identity, gaining unauthorized access to the master. This could lead to execution of arbitrary commands, data theft, or full compromise of the Salt infrastructure. The vulnerability affects Salt versions from 3006.12 to 3006.16 and 3007.4 to 3007.8, where protocol version enforcement is insufficient. Patched versions fix this by mandating the use of the latest protocol version and rejecting downgrade attempts.
Platform: Salt
Version: 3006.12-3006.16, 3007.4-3007.8
Vulnerability: Authentication Protocol Downgrade
Severity: High
Date: Jan 30, 2026
Prediction: Patch released Feb2026
What Undercode Say:
Analytics:
– `salt –version` check
– `salt-key -L` list
– Craft downgrade request
How Exploit:
Malicious minion sends old protocol version request during authentication, bypassing security features to impersonate another minion.
Protection from this CVE
Update to patched versions 3006.17 or 3007.9; enforce protocol version consistency.
Impact:
Minion impersonation leading to unauthorized access and command execution.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

