GHSA-hvc7-763r-4f3h: openssl-encrypt has no owner verification on key revocation — any client can revoke any key

April 1, 2026

The revoke_key method in openssl_encrypt_server/modules/keyserver/service.py at lines 195-270 accepts a client_id parameter but never verifies that the requesting client is the same as key.owner_client_id.

References

github.com/advisories/GHSA-hvc7-763r-4f3h
github.com/jahlives/openssl_encrypt
github.com/jahlives/openssl_encrypt/commit/05e45f393886b5bf7e924d2dd42099a9dd37f91d
github.com/jahlives/openssl_encrypt/security/advisories/GHSA-hvc7-763r-4f3h

Code Behaviors & Features

Detect and mitigate GHSA-hvc7-763r-4f3h with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →