GHSA-8h88-gxp3-j7pg: openssl-encrypt's unverified key bundle from_dict() + to_identity() path allows encryption to attacker keys

April 1, 2026

The PublicKeyBundle.from_dict() method in openssl_encrypt/modules/key_bundle.py at lines 329-361 creates bundles from untrusted data without verifying the signature. The docstring warns to call verify_signature() after creation, but the to_identity() method (line 363-391) can convert an unverified bundle directly to an Identity object.

References

github.com/advisories/GHSA-8h88-gxp3-j7pg
github.com/jahlives/openssl_encrypt
github.com/jahlives/openssl_encrypt/commit/f4a1ba660063cd9e17883829e5272a248525a16b
github.com/jahlives/openssl_encrypt/security/advisories/GHSA-8h88-gxp3-j7pg

Code Behaviors & Features

Detect and mitigate GHSA-8h88-gxp3-j7pg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →