CVE-2018-1000132
Description
Mercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) vulnerability in Protocol server that can result in Unauthorized data access. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in 4.5.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mercurial 4.5 and earlier has an incorrect access control vulnerability in the protocol server that allows unauthorized data access over the network.
Vulnerability
Mercurial version 4.5 and earlier contains an Incorrect Access Control (CWE-285) vulnerability in the Protocol server [2]. This flaw allows an attacker to bypass intended access restrictions and access data without proper authorization. The vulnerability is present in all versions up to and including 4.5, and it is fixed in version 4.5.1 [1][2].
Exploitation
The attack is exploitable via network connectivity [2]. An attacker can send specially crafted requests to the Protocol server to leverage the incorrect access control, without requiring prior authentication or elevated privileges. Network access to the Mercurial service is the only prerequisite.
Impact
Successful exploitation results in unauthorized data access [2]. The attacker can retrieve sensitive information stored in the Mercurial repository that should be protected by access controls. This constitutes a confidentiality breach, potentially exposing private source code, credentials, or other sensitive data.
Mitigation
The vulnerability is fixed in Mercurial version 4.5.1 [1][2]. Users should upgrade to this version or later immediately. Red Hat Enterprise Linux users can also apply the patch via RHSA-2019:2276 [1]. No other workarounds are specified. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mercurialPyPI | < 4.5.1 | 4.5.1 |
Affected products
3- ghsa-coords3 versionspkg:pypi/mercurialpkg:rpm/opensuse/mercurial&distro=openSUSE%20Tumbleweedpkg:rpm/suse/mercurial&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3
< 4.5.1+ 2 more
- (no CPE)range: < 4.5.1
- (no CPE)range: < 5.9.1-2.1
- (no CPE)range: < 2.8.2-15.10.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- access.redhat.com/errata/RHSA-2019:2276ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-4mr4-7vjv-9hm6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1000132ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2018-87.yamlghsaWEB
- lists.debian.org/debian-lts-announce/2018/03/msg00034.htmlghsamailing-listx_refsource_MLISTWEB
- lists.debian.org/debian-lts-announce/2018/07/msg00005.htmlghsamailing-listx_refsource_MLISTWEB
- lists.debian.org/debian-lts-announce/2020/07/msg00032.htmlghsamailing-listx_refsource_MLISTWEB
- www.mercurial-scm.org/wiki/WhatsNewghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.