Paramiko is a widely used PyPI package. As of 2026-05-24, there are 10 known vulnerabilities in the OSV database. The latest stable version is 5.0.0. Developers should audit their dependency trees and update to patched versions.
Package Overview
Known Vulnerabilities (10)
| ID | Severity | Score | Affected Versions | Fixed In | Description |
|---|---|---|---|---|---|
| CVE-2018-7750 | CRITICAL | 9.5 | 2.0.0 to 2.0.8; 2.1.0 to 2.1.5; 2.2.0 to 2.2.3; 2.3.0 to 2.3.2; 2.4.0 to 2.4.1; 1.18.0 to 1.18.5; 0 to 1.17.6 | 2.0.8 | Paramiko not properly checking authentication before processing other requests |
| CVE-2018-1000805 | HIGH | 7.5 | 2.4.0 to 2.4.2; 2.3.0 to 2.3.3; 2.2.0 to 2.2.4; 2.1.0 to 2.1.6; 1.5.1 to 2.0.9 | 2.4.2 | Paramiko Authentication Bypass vulnerability |
| CVE-2022-24302 | HIGH | 7.5 | 2.10.0 to 2.10.1; 2.9.0 to 2.9.3 | 2.10.1 | Race Condition in Paramiko |
| CVE-2008-0299 | HIGH | 7.5 | 0 to 1.7.1-3 | 1.7.1-3 | Paramiko Unsafe randomness usage may allow access to sensitive information |
| CVE-2023-48795 | MODERATE | 5.0 | 0 to 0.40.2; 0.1.0 to 0.17.0; 2.5.0 to 3.4.0; 0 to 0.0.0-20231218163308-9d2ee975ef9f | 0.40.2 | Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC aka Terrapin |
| CVE-2026-44405 | LOW | 2.5 | >= 0 | N/A | Paramiko rsakey.py allows the SHA-1 algorithm |
| CVE-2008-0299 | UNKNOWN | - | 0 to 1.7.2 | 1.7.2 | common.py in Paramiko 1.7.1 and earlier, when using threads or forked processes, does not properly use RandomPool, which allows one session to obtain sensitive information from another session by pred |
| CVE-2018-7750 | UNKNOWN | - | 0 to fa29bd8446c8eab237f5187d28787727b4610516; 1.18.0 to 1.18.5 | fa29bd8446c8eab237f5187d28787727b4610516 | transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 do |
| CVE-2018-1000805 | UNKNOWN | - | 1.5.1 to 2.0.9 | 2.0.9 | Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via netw |
| CVE-2022-24302 | UNKNOWN | - | 2.10.0 to 2.10.1 | 2.9.3 | In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure. |
Security Recommendations
- Pin Paramiko to the latest stable version (5.0.0) in your dependency manifest
- Enable automated dependency updates with Dependabot or Renovate
- Run regular vulnerability scans using
pip-audit - Review your lock file (requirements.txt) after every update
- Monitor the OSV database and NIST NVD for new advisories
FAQ
Is Paramiko safe to use?
Paramiko is actively maintained and widely used. As of 2026-05-24, there are 10 known vulnerabilities listed in the OSV database. Most have patches available. Keeping your dependencies updated and running regular security audits significantly reduces risk.
What vulnerabilities does Paramiko have?
The OSV database currently lists 10 vulnerabilities for Paramiko. These range in severity and are detailed in the vulnerability table above. Check the linked advisories for full technical details and remediation guidance.
How do I update Paramiko to fix vulnerabilities?
Run pip install --upgrade paramiko to get the newest version. Use pip-audit or safety check to scan for known vulnerabilities. Pin your dependencies with a requirements file and review updates regularly.
Using AI-Generated Code with Paramiko?
Our vibe coding security audit checks for misconfigurations, exposed secrets and vulnerable dependencies in AI-generated codebases. If your project uses Paramiko, we can verify it is locked to a safe version and properly configured.
Get a Vibe Coding Security Audit