CVE-2026-26007 Affecting py3-cassandra-medusa package, versions <0.27.0-r4
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-WOLFILATEST-PY3CASSANDRAMEDUSA-15411686
- published5 Mar 2026
- disclosed10 Feb 2026
Introduced: 10 Feb 2026
CVE-2026-26007 (opens in a new tab)How to fix?
Upgrade Wolfi py3-cassandra-medusa to version 0.27.0-r4 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream py3-cassandra-medusa package and not the py3-cassandra-medusa package as distributed by Wolfi.
See How to fix? for Wolfi relevant fixed versions and status.
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_key() functions do not verify that the point belongs to the expected prime-order subgroup of the curve. This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as S = [victim_private_key]P via ECDH, this leaks information about victim_private_key mod (small_subgroup_order). For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup. Only SECT curves are impacted by this. This vulnerability is fixed in 46.0.5.