fix: upstream Python CVE vulnerabilities in Duo Auth Proxy 6.6.0

## Description

Duo Auth Proxy 6.6.0 bundles Python dependencies with known CVEs. These cannot be fixed on our side — they require an upstream fix from Cisco/Duo.

## Affected CVEs

| CVE | Package | Severity | Description |
| --- | --- | --- | --- |
| CVE-2026-24049 | wheel | HIGH | Privilege Escalation via malicious wheel file unpacking |
| CVE-2026-26007 | cryptography | HIGH | Subgroup Attack due to missing validation for SECT curves |
| CVE-2026-23949 | jaraco.context | HIGH | Path traversal via malicious tar archives |

## Current Status

- Alerts dismissed as "won't fix" with comment referencing upstream dependency
- Monitoring Duo Auth Proxy releases for updates

## Action Items

- [ ] Monitor [Duo Auth Proxy release notes](https://duo.com/docs/authproxy-notes) for new version
- [ ] Rebuild image when new Duo version addresses these CVEs
- [ ] Re-run Trivy scan to verify fix

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: upstream Python CVE vulnerabilities in Duo Auth Proxy 6.6.0 #44

Description

Affected CVEs

Current Status

Action Items

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CVE	Package	Severity	Description
CVE-2026-24049	wheel	HIGH	Privilege Escalation via malicious wheel file unpacking
CVE-2026-26007	cryptography	HIGH	Subgroup Attack due to missing validation for SECT curves
CVE-2026-23949	jaraco.context	HIGH	Path traversal via malicious tar archives

fix: upstream Python CVE vulnerabilities in Duo Auth Proxy 6.6.0 #44

Description

Description

Affected CVEs

Current Status

Action Items

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions