HIGH

CVE-2026-9323

CVSS v3

8.1

HIGH

EPSS Score

exploit probability

CISA KEV

No

known exploited

Exploitation

SSVC status

Description

The urwid web display backend (urwid/display/web.py) generates web session identifiers (urwid_id) in Screen.start() by concatenating two random.randrange(10**9) calls that use Python's Mersenne Twister PRNG, which is not cryptographically secure. Each call consumes approximately 30 bits of PRNG state, and the Mersenne Twister internal state is approximately 19,937 bits, so an attacker who observes approximately 334 session IDs (for example via the X-Urwid-ID HTTP response header) can fully recon

Technical details

CVSS v3 Vector
3.1
Published
7/18/2026
Last Modified
7/18/2026

Frequently asked questions

What is CVE-2026-9323?

The urwid web display backend (urwid/display/web.py) generates web session identifiers (urwid_id) in Screen.start() by concatenating two random.randrange(10**9) calls that use Python's Mersenne Twister PRNG, which is not cryptographically secure. Each call consumes approximately 30 bits of PRNG state, and the Mersenne Twister internal state is approximately 19,937 bits, so an attacker who observes approximately 334 session IDs (for example via the X-Urwid-ID HTTP response header) can fully recon

Is CVE-2026-9323 actively exploited?

Active exploitation of CVE-2026-9323 has not been confirmed. The EPSS score is N/A%, indicating the estimated probability of exploitation in the next 30 days.

What is the CVSS score for CVE-2026-9323?

CVE-2026-9323 has a CVSS v3 base score of 8.1 (HIGH severity), with vector string 3.1.

Is CVE-2026-9323 affecting your environment?

Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.