CVE-2026-48851

Vulnerability

PuTTY versions 0.77 through 0.83 (fixed in 0.84) contain a vulnerability in the trust sigil mechanism. When connecting via Telnet through a proxy that requires interactive authentication, PuTTY displays a trust sigil (a small copy of the PuTTY icon) to distinguish its own prompts from server text. Due to a bug, the trust status was not cleared after proxy authentication, causing trust sigils to appear for the entire Telnet session data, even though the session itself is not trusted. This is described in the PuTTY wishlist entry [1] and confirmed in the release announcement for 0.84 [2]. The affected versions are 0.77 to 0.83 inclusive.

Exploitation

An attacker must control or compromise a Telnet server that the victim connects to via a proxy requiring password entry. The victim must use a vulnerable PuTTY version (0.77–0.83) and connect to the Telnet server through such a proxy. When the proxy authentication completes, the trust sigil remains enabled, and any text emitted by the Telnet server (including a spoofed prompt) will appear with the trust sigil as if it were a legitimate PuTTY prompt. The attacker does not need any additional authentication or access to the client machine; they only need to be in a position to serve malicious Telnet data.

Impact

A successful exploit could cause the user to perceive a malicious server’s prompt (e.g., asking for a private key passphrase) as if it came from PuTTY itself. Since the trust sigil is intended to indicate a prompt from the client (which should never be sent to a server), a user might be tricked into disclosing sensitive credentials or other information to an untrusted server. This is a spoofing vulnerability with potential information disclosure impact, as stated in reference [2].

Mitigation

The vulnerability is fixed in PuTTY 0.84, released on 2026-05-22 [1][2]. Users should upgrade to PuTTY 0.84 or later. No workaround is documented; users who cannot upgrade should avoid using Telnet through proxy configurations that require password entry. There is no indication that this CVE is listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog.