CVE-2026-43617

MEDIUMNVD 4.84.8
EchelonGraph scoreMEDIUM confidence

Score 4.8 from GitHub Security Advisory published 2026-05-20. NVD baseline CVSS 4.8; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: epss, ghsa, nvd
4.8
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: 0%CVSS: 4.8Exploit: NoneExposed: 0

A fix is available — apply it.

Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enforcement when configured with chroot. Attackers can bypass hostname-based deny rules by controlling the PTR record for their source IP address, allowing connections from hostnames that administrators intended to deny when reverse DNS resolution fails and defaults to UNKNOWN.

CVSS v3
4.8
EG Score
4.8(medium)
EPSS
20.0%
KEV
Not listed

Published

May 20, 2026

Last Modified

May 21, 2026

Advisory Details (3)

Auto-updated May 20, 2026
Patch available. Sources: github.
generic

Rsync < 3.4.3 Authorization Bypass via Hostname Resolution | Advisories | VulnCheck

https://www.vulncheck.com/advisories/rsync-authorization-bypass-via-hostname-resolution
github Patch Available

rsync: hostname/ACL bypass on DNS-lookup failure · Advisory · RsyncProject/rsync · GitHub

https://github.com/RsyncProject/rsync/security/advisories/GHSA-rjfm-3w2m-jf4f
generic

Release v3.4.3 · RsyncProject/rsync · GitHub

https://github.com/RsyncProject/rsync/releases/tag/v3.4.3

Vendor Advisories for CVE-2026-43617(2)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Patch Availability(2)

Vendor / EcosystemFixed in / PatchReleasedSource
ubuntursync (3.4.1+ds1-7ubuntu0.2) @ resolute2026-06-29ubuntu
ubuntursync (3.1.0-2ubuntu0.4+esm3) @ trusty2026-06-29ubuntu

Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Additional Vendor Advisories

(2)

Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.

Frequently asked(5)

What is CVE-2026-43617?
CVE-2026-43617 is a medium vulnerability published on May 20, 2026. Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enforcement when configured with chroot. Attackers can bypass hostname-based deny rules by controlling the PTR record for their source IP address, allowing…
When was CVE-2026-43617 disclosed?
CVE-2026-43617 was first published in the National Vulnerability Database on May 20, 2026, with the most recent update on May 21, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-43617 actively exploited?
CVE-2026-43617 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 20.0% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-43617?
CVE-2026-43617 has a CVSS v3 base score of 4.8 (NVD).
How do I remediate CVE-2026-43617?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-43617, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-43617

Explore →

Is Your Infrastructure Affected by CVE-2026-43617?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.