CVE-2026-23893
📋 TL;DR
openCryptoki versions 2.3.2+ are vulnerable to symlink attacks when running with elevated privileges. Token-group users can plant symbolic links in group-writable directories to redirect file operations to arbitrary targets, potentially leading to privilege escalation or data exposure. This affects systems where openCryptoki runs as root and token-group members have access to token directories.
💻 Affected Systems
- openCryptoki
📦 What is this software?
Opencryptoki by Opencryptoki Project
⚠️ Risk & Real-World Impact
Worst Case
Full root privilege escalation allowing complete system compromise, data theft, or system destruction.
Likely Case
Privilege escalation to root when administrators run maintenance tools that perform chown operations on token directory files.
If Mitigated
Limited to token-group user privileges if proper access controls prevent symlink planting.
🎯 Exploit Status
Requires token-group membership and timing with administrator maintenance actions. No public exploit code available at advisory publication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not yet released (fixed in commit 5e6e4b4)
Vendor Advisory: https://github.com/opencryptoki/opencryptoki/security/advisories/GHSA-j6c7-mvpx-jx5q
Restart Required: Yes
Instructions:
1. Monitor openCryptoki releases for version containing commit 5e6e4b4. 2. Apply official patch when available. 3. Restart openCryptoki services and affected applications.
🔧 Temporary Workarounds
Remove group-write permissions from token directories
linuxChange token and lock directory permissions from 0770 to 0750 to prevent token-group users from planting symlinks.
chmod 0750 /var/lib/opencryptoki/tokens/*
chmod 0750 /var/lib/opencryptoki/locks/*
Restrict token-group membership
linuxReview and minimize token-group membership to only essential users.
grep '^token:' /etc/group
usermod -G token -a username (to add)
gpasswd -d username token (to remove)
🧯 If You Can't Patch
- Implement strict access controls on token directories and monitor for unauthorized symlink creation.
- Run openCryptoki with minimal privileges instead of as root where possible.
🔍 How to Verify
Check if Vulnerable:
Check openCryptoki version and token directory permissions: 'opencryptoki --version' and 'ls -la /var/lib/opencryptoki/tokens/'Check Version:
opencryptoki --versionVerify Fix Applied:
Verify commit 5e6e4b4 is included: 'git log --oneline | grep 5e6e4b4' and confirm token directories are 0750.📡 Detection & Monitoring
Log Indicators:
- Unexpected chown operations in token directories
- Symlink creation in /var/lib/opencryptoki/tokens/
Network Indicators:
- None - local attack only
SIEM Query:
process.name:"chown" AND file.path:"/var/lib/opencryptoki/tokens/*" OR file.path:"/var/lib/opencryptoki/locks/*"