CVE-2026-47192

LOWPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: 0%CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

kas's late signature validation may allow unnoticed repository manipulations

Impact

So far, kas checks out and processes repositories regarding configuration includes prior to validating signatures of those repositories. This may allow to replace on original repository with one under the control of an attacker under very specific conditions.

First of all, the attacker must have gained control of a repository that a kas file of the victim is referencing. Furthermore, the following conditions must be fulfilled:

  • the victim's kas configuration must include a configuration file from the attacked repository
  • the repository state is referenced by tag, and no commit ID is specified (this is triggering a warning, though)
  • the key used for validating the tag or commit signature is stored as file in a repository
  • no fingerprint for the key is specified
  • the _source_dir key must not be set by the victim when calling kas (e.g. by avoiding a local .config.yaml)

Given these conditions, the attacker could modify the included kas configuration in way that the key used to validate the tag signature of the attacker's repository could be replaced by an attacker-chosen key.

No other exploit possibilities have been identified so far, but this does not rule out that those may exist.

Patches

The vulnerability was introduced with a2480fe59b6421eb96cf3bd86527ae6e412a331e, commit https://github.com/siemens/kas/commit/5b2114becfc154b16ef496d24f8c2191a2297f57 is resolving this issue. A misuse of _source_dir is resolved by commit https://github.com/siemens/kas/commit/c443c0a1fd0f9bd6a689a44d95a252085fc6da88. Shadowing a commit by a branch of the same name is described in advisory https://github.com/siemens/kas/security/advisories/GHSA-qjwp-hrq6-r26r and is addressed by commit https://github.com/siemens/kas/commit/4cb4a3d01122ffaec9feaae768a5814092f6f9b5. All patches have been released along with kas version 5.3.

Workarounds

Pin the expected signature key via its fingerprint, also when storing it as file in a repository.

CVSS v3
EG Score
0.0(none)
EPSS
6.0%
KEV
Not listed

Published

June 4, 2026

Last Modified

June 4, 2026

Vendor Advisories for CVE-2026-47192(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
PyPI(1)
PackageVulnerable rangeFixed inDependents
kas4.8 ... 5.2 (6 versions)5.3

Data Freshness Timeline

(refreshed 0× in last 7d / 4× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-06-14 23:18 UTCEPSS rescore
  2. 2026-06-13 23:00 UTCEPSS rescore
  3. 2026-06-13 17:17 UTCEG score recompute
  4. 2026-06-12 23:12 UTCEPSS rescore
  5. 2026-06-04 18:10 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-47192?
CVE-2026-47192 is a low vulnerability published on June 4, 2026. kas's late signature validation may allow unnoticed repository manipulations Impact So far, kas checks out and processes repositories regarding configuration includes prior to validating signatures of those repositories. This may allow to replace on original repository with one under the control of…
When was CVE-2026-47192 disclosed?
CVE-2026-47192 was first published in the National Vulnerability Database on June 4, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-47192 actively exploited?
CVE-2026-47192 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 6.0% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
How do I remediate CVE-2026-47192?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-47192, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-47192

Explore →

Is Your Infrastructure Affected by CVE-2026-47192?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.