EXECUTIVE SUMMARY:
CVE-2026-48113 with a CVSS score of 7.5 is a privilege escalation vulnerability in the open‑source tunneling tool Chisel (go/github.com/jpillora/chisel) that affects all releases up to and including version 1.11.4. The flaw stems from an incomplete access‑control check: the server validates user ACLs only during the initial SSH handshake against the list of declared remotes, but it fails to enforce those ACLs when processing subsequent SSH channels that carry the actual traffic, allowing the client‑controlled `ExtraData` field to dictate arbitrary host‑port destinations. An attacker who possesses valid credentials for a permitted remote can authenticate to the Chisel server, then open additional SSH channels with crafted `ExtraData` to bypass the `--authfile` restrictions and direct traffic to any reachable internal service. This grants the attacker the ability to tunnel data to unauthorized hosts, potentially exfiltrating sensitive information, accessing internal APIs, or pivoting to further compromise the network. Exploitation requires only network access to the Chisel server, a legitimate user account that satisfies the configured ACL, and a vulnerable server version; no additional privileges or code execution are needed beyond the authenticated session.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-48113 with a CVSS score of 7.5 is a privilege escalation vulnerability in the open‑source tunneling tool Chisel (go/github.com/jpillora/chisel) that affects all releases up to and including version 1.11.4. The flaw stems from an incomplete access‑control check: the server validates user ACLs only during the initial SSH handshake against the list of declared remotes, but it fails to enforce those ACLs when processing subsequent SSH channels that carry the actual traffic, allowing the client‑controlled `ExtraData` field to dictate arbitrary host‑port destinations. An attacker who possesses valid credentials for a permitted remote can authenticate to the Chisel server, then open additional SSH channels with crafted `ExtraData` to bypass the `--authfile` restrictions and direct traffic to any reachable internal service. This grants the attacker the ability to tunnel data to unauthorized hosts, potentially exfiltrating sensitive information, accessing internal APIs, or pivoting to further compromise the network. Exploitation requires only network access to the Chisel server, a legitimate user account that satisfies the configured ACL, and a vulnerable server version; no additional privileges or code execution are needed beyond the authenticated session.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-24fp-5v3p-rvpw