Unrated severityNVD Advisory· Published Mar 13, 2026· Updated Mar 13, 2026

JumpServer Improper Certificate Validation in Custom SMS API Client

CVE-2026-31798

Description

JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v4.10.16-lts, JumpServer improperly validates certificates in the Custom SMS API Client. When JumpServer sends MFA/OTP codes via Custom SMS API, an attacker can intercept the request and capture the verification code BEFORE it reaches the user's phone. This vulnerability is fixed in v4.10.16-lts.

Affected products

Jumpserver/Jumpserverv5
Range: < 4.10.16-lts

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/jumpserver/jumpserver/security/advisories/GHSA-26pj-mmxw-w3w7mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000