CVE-2026-25793
Published: 06 February 2026
Summary
CVE-2026-25793 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Slack Nebula. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SC-17 (Public Key Infrastructure Certificates).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-25793 by requiring timely patching of the flaw in Nebula versions 1.7.0 to 1.10.2 that allows ECDSA signature malleability to evade certificate blocklists.
Ensures proper PKI certificate management, revocation, and restriction of untrusted certificates, preventing evasion of blocklist entries via modified certificate fingerprints.
Implements cryptographic mechanisms for proper signature verification and integrity protection, addressing the improper verification of ECDSA signatures (CWE-347) in P256 certificates.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables network exploitation of Nebula for unauthorized access via blocklist bypass (T1190); malleability directly allows forging variant authentication certificates that evade fingerprint checks (T1649); root cause is improper cryptographic signature verification subverting trust controls (T1553).
NVD Description
Nebula is a scalable overlay networking tool. In versions from 1.7.0 to 1.10.2, when using P256 certificates (which is not the default configuration), it is possible to evade a blocklist entry created against the fingerprint of a certificate by using…
more
ECDSA Signature Malleability to use a copy of the certificate with a different fingerprint. This issue has been patched in version 1.10.3.
Deeper analysisAI
CVE-2026-25793 affects Nebula, a scalable overlay networking tool, in versions 1.7.0 through 1.10.2. The vulnerability arises when using P256 certificates, which is not the default configuration, allowing attackers to evade blocklist entries targeted at a certificate's fingerprint. This is achieved through ECDSA signature malleability, enabling the creation of a modified copy of the certificate with a different fingerprint. The issue is classified under CWE-347 (Improper Verification of Cryptographic Signature) and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
An attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity and no user interaction required. By generating a malleable signature variant of a blocked certificate, they can bypass Nebula's blocklist enforcement, potentially impersonating a blocked entity to gain unauthorized access. Successful exploitation results in high confidentiality and integrity impacts, such as exfiltrating sensitive data or modifying network traffic, without affecting availability.
The vulnerability has been addressed in Nebula version 1.10.3. Official mitigation details are available in the GitHub security advisory (GHSA-69x3-g4r3-p962) and the patching commit (f573e8a26695278f9d71587390fbfe0d0933aa21), which security practitioners should review for implementation guidance and verification steps.
Details
- CWE(s)