CVE-2026-31798

low-risk

Published 2026-03-13

JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v4.10.16-lts, JumpServer improperly validates certificates in the Custom SMS API Client. When JumpServer sends MFA/OTP codes via Custom SMS API, an attacker can intercept the request and capture the verification code BEFORE it reaches the user's phone. This vulnerability is fixed in v4.10.16-lts.

Do I need to act?

0.02% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.0/10 Medium

NETWORK / HIGH complexity

Affected Products (1)

Jumpserver

Affected Vendors

Fit2Cloud

References (1)

Vendor Advisory https://github.com/jumpserver/jumpserver/security/advisories/GHSA-26pj-mmxw-w3w7

/ 100

low-risk

Severity 16/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal