CVE-2026-34527 Overview
CVE-2026-34527 is a cryptographic weakness in Sandboxie-Plus, an open source sandbox-based isolation product for Windows. The flaw resides in SbieIniServer::HashPassword, which converts a SHA-1 digest to its hexadecimal representation incorrectly. The high nibble of each byte is shifted right by 8 bits instead of 4, which always yields zero for an 8-bit value. The stored EditPassword hash therefore retains only the low nibble of every digest byte. Effective entropy drops from 160 bits to 80 bits on top of an already unsalted SHA-1 scheme [CWE-328]. The defect affects versions 1.17.2 and earlier, and version 1.17.3 contains the fix.
Critical Impact
Leaked or backed-up EditPassword hashes from Sandboxie-Plus 1.17.2 and earlier are materially easier to brute-force because effective entropy is reduced by half.
Affected Products
- Sandboxie-Plus versions 1.17.2 and earlier
- Sandboxie-Plus SbieIniServer component (HashPassword function)
- Sandboxie-Plus configuration files containing the EditPassword hash
Discovery Timeline
- 2026-05-05 - CVE-2026-34527 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-34527
Vulnerability Analysis
The defect is a hexadecimal encoding bug in SbieIniServer::HashPassword. SHA-1 produces a 20-byte digest. To represent each byte as two hex characters, the implementation must isolate the high nibble with a right shift of 4 and the low nibble with a mask of 0x0F. The Sandboxie-Plus code shifts the high nibble right by 8 instead of 4. Since each byte is only 8 bits wide, an 8-bit shift always evaluates to zero. Every high nibble in the encoded hash is therefore lost, and only the low nibble of each digest byte is preserved in the stored value.
The stored hash retains 20 nibbles of meaningful data instead of 40. That collapses the effective output space from 2^160 to 2^80. Combined with the absence of a salt, identical passwords always produce identical hashes, enabling precomputed attacks. An attacker who obtains the EditPassword hash through a configuration backup, file disclosure, or local read access can recover the original password significantly faster than against a properly encoded SHA-1.
Root Cause
The root cause is an incorrect bit shift constant in the byte-to-hex conversion routine. The code uses a shift of 8 where 4 was required, zeroing the upper nibble of each digest byte before encoding. The use of unsalted SHA-1 amplifies the impact by allowing offline dictionary and rainbow table attacks against the truncated hash.
Attack Vector
Exploitation requires local access or possession of a Sandboxie-Plus configuration file or backup containing the EditPassword hash. After obtaining the hash, an attacker performs offline brute-force or dictionary attacks against an 80-bit search space without needing to interact with the target host. Recovery of the password permits modification of sandbox configuration that the EditPassword was intended to protect.
The vulnerability is described in prose only because no verified proof-of-concept code is published. See the GitHub Security Advisory GHSA-w37h-qm9p-h4x2 for the maintainer's analysis.
Detection Methods for CVE-2026-34527
Indicators of Compromise
- Sandboxie-Plus installations reporting version 1.17.2 or earlier in SandMan.exe metadata or installer registry keys
- EditPassword entries in Sandboxie.ini whose hash values contain leading-zero nibbles in every byte position
- Unexpected modifications to sandbox configuration following exposure of Sandboxie.ini through backups or shared storage
Detection Strategies
- Inventory Sandboxie-Plus deployments and flag any host running a version below 1.17.3
- Inspect exported or backed-up Sandboxie.ini files for EditPassword hashes that exhibit the truncated encoding pattern (every other nibble equals 0)
- Monitor file access events on Sandboxie.ini from non-administrative processes that could exfiltrate the hash
Monitoring Recommendations
- Audit configuration changes to sandboxes protected by EditPassword and alert on edits that follow access to Sandboxie.ini
- Track copies of Sandboxie.ini to removable media, network shares, or cloud sync folders
- Review backup repositories for historical copies of Sandboxie.ini and treat their hashes as compromised
How to Mitigate CVE-2026-34527
Immediate Actions Required
- Upgrade Sandboxie-Plus to version 1.17.3 or later on every Windows host where it is installed
- Reset the EditPassword after upgrading so a correctly encoded hash replaces the truncated value
- Treat any EditPassword hash from a 1.17.2 or earlier installation as compromised and rotate any reused passwords
Patch Information
The maintainers fixed the encoding defect in Sandboxie-Plus 1.17.3. The corrected SbieIniServer::HashPassword shifts the high nibble by 4 bits, preserving the full SHA-1 digest in the stored hash. Refer to the GitHub Security Advisory GHSA-w37h-qm9p-h4x2 for advisory details and release links.
Workarounds
- Restrict file system permissions on Sandboxie.ini to administrators only to limit hash exposure until the upgrade is applied
- Exclude Sandboxie.ini from user-accessible backup sets and synchronized folders that could leak the hash
- Avoid reusing the Sandboxie EditPassword value for any other system or account
# Configuration example: verify installed Sandboxie-Plus version on Windows
powershell -Command "(Get-Item 'C:\Program Files\Sandboxie-Plus\SandMan.exe').VersionInfo.ProductVersion"
# Restrict access to the configuration file storing EditPassword
icacls "C:\Program Files\Sandboxie-Plus\Sandboxie.ini" /inheritance:r /grant:r "Administrators:(R,W)" "SYSTEM:(R,W)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
