CVE-2026-31798 PUBLISHED

JumpServer Improper Certificate Validation in Custom SMS API Client

Assigner: GitHub_M
Reserved: 09.03.2026 Published: 13.03.2026 Updated: 13.03.2026

JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v4.10.16-lts, JumpServer improperly validates certificates in the Custom SMS API Client. When JumpServer sends MFA/OTP codes via Custom SMS API, an attacker can intercept the request and capture the verification code BEFORE it reaches the user's phone. This vulnerability is fixed in v4.10.16-lts.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
CVSS Score: 5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	Required	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	jumpserver
Product	jumpserver
Versions	Version < 4.10.16-lts is affected

References

https://github.com/jumpserver/jumpserver/security/advisories/GHSA-26pj-mmxw-w3w7

Problem Types

CWE-295: Improper Certificate Validation CWE