CVE-2025-22236

HIGH

Salt 3007.0-3007.3 and 3006.0-3006.11 - Minion Event Bus Authorization Bypass

Title source: llm

Description

Minion event bus authorization bypass. An attacker with access to a minion key can craft a message which may be able to execute a job on other minions (>= 3007.0).

References (2)

Core 2

Core References

Release Notes

https://docs.saltproject.io/en/3006/topics/releases/3006.12.html

Release Notes

https://docs.saltproject.io/en/3007/topics/releases/3007.4.html

Scores

CVSS v3 8.1

EPSS 0.0014

EPSS Percentile 34.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-287

Status published

Products (3)

pypi/salt 3007.0 - 3007.4PyPI

VMware/SALT 3006.x - 3006.12

VMware/SALT 3007.x - 3007.4

Published Jun 13, 2025

Tracked Since Feb 18, 2026