Salt — CVE history (PyPI)
Salt
37 CVEs affect the Salt PyPI package (highest CVSS 9.8). Latest disclosed: 2026-01-30. Full CVE history sourced from NVD.
Summary
- Package
Salt(PyPI)- Total CVEs
37- Actively exploited (CISA KEV)
- 0
- Highest CVSS
9.8- Latest disclosed
- 2026-01-30
Recent CVEs (top 20)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-62349 | Medium | 6.2 | — | 2026-01-30 | Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer authentication/security features by using an older request payload format, enabling minion impersonation and circumventin… |
CVE-2025-62348 | High | 7.8 | — | 2026-01-30 | Salt's junos execution module contained an unsafe YAML decode/load usage. |
CVE-2024-38824 | Critical | 9.6 | — | 2025-06-13 | Directory traversal vulnerability in recv_file method allows arbitrary files to be written to the master cache directory. |
CVE-2025-22242 | Medium | 5.6 | — | 2025-06-13 | Worker process denial of service through file read operation. |
CVE-2025-22241 | Medium | 5.6 | — | 2025-06-13 | File contents overwrite the VirtKey class is called when “on-demand pillar” data is requested and uses un-validated input to create paths to the “pki directory”. |
CVE-2025-22240 | Medium | 6.3 | — | 2025-06-13 | Arbitrary directory creation or file deletion. |
CVE-2025-22239 | High | 8.1 | — | 2025-06-13 | Arbitrary event injection on Salt Master. |
CVE-2025-22238 | Medium | 4.2 | — | 2025-06-13 | Directory traversal attack in minion file cache creation. |
CVE-2025-22237 | Medium | 6.7 | — | 2025-06-13 | An attacker with access to a minion key can exploit the 'on demand' pillar functionality with a specially crafted git url which could cause and arbitrary command to be run on the master with the same privileges as the master process. |
CVE-2025-22236 | High | 8.1 | — | 2025-06-13 | Minion event bus authorization bypass. |
CVE-2024-38825 | Medium | 6.4 | — | 2025-06-13 | The salt.auth.pki module does not properly authenticate callers. |
CVE-2024-38823 | Low | 2.7 | — | 2025-06-13 | Salt's request server is vulnerable to replay attacks when not using a TLS encrypted transport. |
CVE-2024-38822 | Low | 2.7 | — | 2025-06-13 | Multiple methods in the salt master skip minion token validation. |
CVE-2023-34049 | Medium | 6.7 | — | 2024-11-14 | The Salt-SSH pre-flight option copies the script to the target at a predictable path, which allows an attacker to force Salt-SSH to run their script. |
CVE-2023-20898 | Medium | 4.2 | — | 2023-09-05 | Git Providers can read from the wrong environment because they get the same cache directory base name in Salt masters prior to 3005.2 or 3006.2. |
CVE-2023-20897 | Medium | 5.3 | — | 2023-09-05 | Salt masters prior to 3005.2 or 3006.2 contain a DOS in minion return. |
CVE-2019-1010259 | — | — | — | 2019-07-18 | SaltStack Salt 2018.3, 2019.2 is affected by: SQL Injection. |
CVE-2017-14696 | High | 7.5 | — | 2017-10-24 | SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote attackers to cause a denial of service via a crafted authentication request. |
CVE-2017-14695 | Critical | 9.8 | — | 2017-10-24 | Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master via a crafte… |
CVE-2017-5200 | High | 8.8 | — | 2017-09-26 | Salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2 allows arbitrary command execution on a salt-master via Salt's ssh_client. |
All-time worst (top 10 by CVSS)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2017-14695 | Critical | 9.8 | — | 2017-10-24 | Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7.x before 2017.7.2 allows remote minions with incorrect credentials to authenticate to a master via a crafte… |
CVE-2017-12791 | Critical | 9.8 | — | 2017-08-23 | Directory traversal vulnerability in minion id validation in SaltStack Salt before 2016.11.7 and 2017.7.x before 2017.7.1 allows remote minions with incorrect credentials to authenticate to a master via a crafted minion ID. |
CVE-2024-38824 | Critical | 9.6 | — | 2025-06-13 | Directory traversal vulnerability in recv_file method allows arbitrary files to be written to the master cache directory. |
CVE-2016-9639 | Critical | 9.1 | — | 2017-02-07 | Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching. |
CVE-2017-5200 | High | 8.8 | — | 2017-09-26 | Salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2 allows arbitrary command execution on a salt-master via Salt's ssh_client. |
CVE-2017-5192 | High | 8.8 | — | 2017-09-26 | When using the local_batch client from salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, and 2016.11.x before 2016.11.2, external authentication is not respected, enabling all authentication to be bypassed. |
CVE-2025-22239 | High | 8.1 | — | 2025-06-13 | Arbitrary event injection on Salt Master. |
CVE-2025-22236 | High | 8.1 | — | 2025-06-13 | Minion event bus authorization bypass. |
CVE-2016-1866 | High | 8.1 | — | 2016-04-12 | Salt 2015.8.x before 2015.8.4 does not properly handle clear messages on the minion, which allows man-in-the-middle attackers to execute arbitrary code by inserting packets into the minion-master data stream. |
CVE-2025-62348 | High | 7.8 | — | 2026-01-30 | Salt's junos execution module contained an unsafe YAML decode/load usage. |