CVE-2026-1063
📋 TL;DR
This CVE describes a command injection vulnerability in Bastillion's Public Key Management System that allows remote attackers to execute arbitrary commands on affected systems. The vulnerability exists in the AuthKeysKtrl.java component and affects Bastillion versions up to 4.0.1. Organizations using vulnerable Bastillion installations for SSH key management are at risk.
💻 Affected Systems
- bastillion-io Bastillion
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote unauthenticated attacker gains full system compromise, executes arbitrary commands with application privileges, potentially leading to lateral movement, data exfiltration, or complete system takeover.
Likely Case
Authenticated or semi-authenticated attacker executes commands with application user privileges, potentially accessing sensitive SSH keys, modifying authorized keys, or establishing persistent access.
If Mitigated
With proper network segmentation and least privilege, impact limited to application container/VM, preventing lateral movement to other systems.
🎯 Exploit Status
Exploit details publicly available on GitHub. Attack requires some level of access to the key management interface. The vendor did not respond to disclosure attempts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: Yes
Instructions:
No official patch available. Consider upgrading to latest version if available, or implement workarounds. Monitor Bastillion GitHub repository for updates.
🔧 Temporary Workarounds
Input Validation Enhancement
allAdd input validation and sanitization to AuthKeysKtrl.java to prevent command injection
# Requires Java development environment and source code modification
# Implement proper input validation using whitelisting and parameterized commands
Network Access Restriction
linuxRestrict network access to Bastillion management interface
# Example iptables rule for Linux
iptables -A INPUT -p tcp --dport [bastillion-port] -s [trusted-networks] -j ACCEPT
iptables -A INPUT -p tcp --dport [bastillion-port] -j DROP
🧯 If You Can't Patch
- Isolate Bastillion instance in separate network segment with strict firewall rules
- Implement web application firewall (WAF) with command injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check Bastillion version. If version is 4.0.1 or earlier, system is vulnerable. Review application logs for suspicious command execution patterns.Check Version:
Check Bastillion web interface or configuration files for version information. Typically found in web interface footer or /version endpoint.Verify Fix Applied:
Test key management functionality with malicious input to ensure commands are not executed. Verify input validation is properly implemented.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in application logs
- Multiple failed authentication attempts followed by key management actions
- Suspicious characters in key management requests (;, |, &, $)
Network Indicators:
- Unusual outbound connections from Bastillion server
- SSH connections from Bastillion server to unexpected destinations
SIEM Query:
source="bastillion.log" AND ("command injection" OR "runtime.exec" OR "ProcessBuilder" OR suspicious shell characters in request)