Skip to content

fix: upgrade cryptography to 46.0.5 to address CVE-2026-26007 #1289

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
EItanya merged 1 commit into from
Feb 12, 2026
Merged

fix: upgrade cryptography to 46.0.5 to address CVE-2026-26007 #1289

EItanya merged 1 commit into from
Feb 12, 2026

Conversation

@EItanya
Copy link
Contributor

@EItanya EItanya commented Feb 12, 2026

Adds a uv constraint-dependency to pin cryptography>=46.0.5, fixing a HIGH severity subgroup attack vulnerability due to missing subgroup validation for SECT curves.

Copilot AI review requested due to automatic review settings February 12, 2026 14:50
Copilot AI reviewed Feb 12, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Python workspace’s uv configuration and lockfile to enforce a minimum cryptography version that includes the fix for CVE-2026-26007.

Changes:

  • Add a uv constraint-dependency for cryptography>=46.0.5 in pyproject.toml.
  • Regenerate uv.lock to apply the constraint (updating cryptography to 46.0.5 and adjusting resolved transitive packages like cffi).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
python/pyproject.toml Adds tool.uv.constraint-dependencies to enforce cryptography>=46.0.5 during resolution.
python/uv.lock Captures the new constraint and locks updated resolved versions, including cryptography 46.0.5.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@EItanya @claude
fix: upgrade cryptography to 46.0.5 to address CVE-2026-26007
0dfe578 
Adds a uv constraint-dependency to pin cryptography>=46.0.5, fixing a
HIGH severity subgroup attack vulnerability due to missing subgroup
validation for SECT curves.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Eitan Yarmush <eitan.yarmush@solo.io>
@EItanya EItanya force-pushed the eitanya/fix-cve-2026-26007-cryptography branch from eb71bc5 to 0dfe578 Compare February 12, 2026 15:20
@EItanya EItanya merged commit 710e238 into main Feb 12, 2026
15 checks passed
@EItanya EItanya deleted the eitanya/fix-cve-2026-26007-cryptography branch February 12, 2026 15:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@peterj peterj Awaiting requested review from peterj peterj is a code owner

@yuval-k yuval-k Awaiting requested review from yuval-k yuval-k is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@EItanya