What is CVE-2026-1063?

A low-severity command injection vulnerability exists in bastillion-io Bastillion up to version 4.0.1. Organizations should address this vulnerability, as it could be exploited remotely.

What is the severity of CVE-2026-1063?

CVE-2026-1063 has a severity rating of LOW with a CVSS base score of 2.

CVE-2026-1063 | Low Vulnerability in bastillion-io Bastillion

A vulnerability has been found in bastillion-io Bastillion up to version 4.0.1. This vulnerability affects unknown code of the file src/main/java/io/bastillion/manage/control/AuthKeysKtrl.java of the component Public Key Management System. Such manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

The severity level is classified as low, with a CVSS base score of 2. This vulnerability poses a risk to organizations, particularly those utilizing bastillion-io Bastillion. It is crucial for security teams to be aware of this vulnerability and take appropriate measures.

Risk to organizations includes potential unauthorized command execution, which can lead to further exploitation of the affected systems. Organizations should prioritize their assessments and consider remediation strategies.

Given that the exploit has been disclosed publicly and the vulnerability is classified as low, organizations should schedule remediation within their regular maintenance cycles.

Vulnerability Details

The vulnerability allows command injection, which can be exploited remotely. With a CVSS score of 2.0, it indicates a low severity. The affected product is bastillion-io Bastillion, specifically versions up to 4.0.1. This vulnerability was published on January 17, 2026, and is classified under CWE-74 and CWE-77.

Technical Analysis

The root cause of this vulnerability stems from insufficient validation of user inputs in the key management system. Attackers may leverage this weakness to execute arbitrary commands on the server, leading to unauthorized actions.

The attack vector is network-based, requiring high privileges for exploitation. It has low attack complexity, and no user interaction is needed. The impacts on confidentiality, integrity, and availability are all classified as low.

Risk & Impact Analysis

Organizations face a real-world risk of remote exploitation due to this command injection vulnerability. The blast radius could encompass all systems running the vulnerable versions of bastillion-io Bastillion. Although the exploit has been disclosed, the low severity indicates a lower urgency for immediate patching.

Organizations should schedule remediation as part of their routine maintenance, but should remain vigilant about potential exploitation attempts in the wild.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The affected versions of bastillion-io Bastillion include all versions up to 4.0.1.

Mitigation & Remediation

Organizations should apply the latest updates and patches provided by the vendor to mitigate this vulnerability. If a patch is unavailable, organizations should consider implementing workarounds, such as restricting access to the affected components and monitoring for unusual activity.

For further assistance, organizations can utilize penetration testing services to validate the effectiveness of their security measures.

Detection Guidance

Organizations should monitor logs for unusual commands or activities related to the Public Key Management System. Behavioral anomalies should be investigated, particularly those that deviate from normal operation within the application.

AppSecure Threat Intelligence Insight

The long-term significance of this vulnerability is that it highlights the importance of validating inputs in critical components such as public key management systems. Security teams should learn from this incident to strengthen their security posture against command injection vulnerabilities.

This case represents a pattern of vulnerabilities in public key management systems and underscores the necessity for comprehensive security assessments. Organizations must be proactive in identifying and mitigating such weaknesses.

For strategic defensive takeaways, organizations are encouraged to engage in vulnerability management programs to regularly assess and improve their security measures.

Organizations should also consider consulting resources on API security testing to strengthen their defenses against similar vulnerabilities.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-1063: Low Vulnerability in bastillion-io Bastillion