CVE-2026-44405: Paramiko rsakey.py allows the SHA-1 algorithm

May 6, 2026 (updated May 8, 2026)

In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm.

References

github.com/advisories/GHSA-r374-rxx8-8654
github.com/paramiko/paramiko
github.com/paramiko/paramiko/commit/a4489456b6f65281e172380cc4826cee5e851dbb
nvd.nist.gov/vuln/detail/CVE-2026-44405
ostif.org/wp-content/uploads/2026/05/25-11-2415-REP_paramiko-security-audit_v1.1.pdf

Code Behaviors & Features

Detect and mitigate CVE-2026-44405 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →