CVE-2025-62349

MEDIUM 6.2

Salt Master authentication protocol downgrade may enable minion impersonation

CVSS Score

6.2

EPSS Score

0.0%

EPSS Percentile

0th

Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer authentication/security features by using an older request payload format, enabling minion impersonation and circumventing protections introduced in response to prior issues.

CWE	CWE-287
Vendor	salt project
Product	salt
Published	Jan 30, 2026
Last Updated	Feb 26, 2026

Stay Ahead of the Next One

Get instant alerts for salt project salt

Be the first to know when new medium vulnerabilities affecting salt project salt are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Affected Versions

Salt Project / Salt

3006.12 < 3006.17

Salt Project / Salt

3007.4 < 3007.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗

docs.saltproject.io: https://docs.saltproject.io/en/latest/topics/releases/3006.17.html docs.saltproject.io: https://docs.saltproject.io/en/latest/topics/releases/3007.9.html

Credits

🔍 Barney Sowood