Minion event bus authorization bypass. An attacker with access to a minion key can craft a message which may be able to execute a job on other minions (>= 3007.0).

Affected Packages

PyPI salt

Affected versions: 3007.0 (fixed in 3007.4)

PyPI salt

Affected versions: 3006.0 (fixed in 3006.12)

Related CVEs

CVE-2025-22236

Key Information

GHSA ID

GHSA-jh7c-xh74-h76f

Published

June 13, 2025 9:30 AM

Last Modified

June 13, 2025 9:18 PM

CVSS Score

7.5 /10

Primary Ecosystem

PyPI

Primary Package

salt

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 14, 2025 6:24 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.