514 matches found
PT-2026-43368
Name of the Vulnerable Software and Affected Versions IBM HTTP Server version 8.5 IBM HTTP Server version 9.0 Description Remote code execution and denial of service are possible in configurations that utilize TLS mutual authentication, also known as client authentication, which is a process wher...
Unity Linux 20.1070e Security Update: strongswan (UTSA-2026-016762)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016762 advisory. In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and in the case of EAP methods...
curl: curl GnuTLS backend accepts a clientAuth-only certificate for HTTPS server authentication
Summary: When curl/libcurl is built with the GnuTLS backend, the current HTTPS server-certificate validation path verifies the trust chain and hostname but does not enforce TLS server Extended Key Usage semantics. As a result, a leaf certificate that chains to a trusted CA, matches the requested...
OSEC-2026-06 TLS-client (with TLS 1.3) does insufficient certificate checks (missing KeyUsage and ExtendedKeyUsage validation)
The ocaml-TLS 1.3 client does not validate the KeyUsage and ExtendedKeyUsage extensions of the server certificate. This can lead to impersonation with a certificate issued to a client. Scenario Every employee at a major bank carries a smart card. The card holds a clientAuth certificate issued by...
OSEC-2026-07 TLS-server does insufficient client certificate checks (missing KeyUsage and ExtendedKeyUsage validation)
The TLS server implementation does not validate the KeyUsage and ExtendedKeyUsage extensions of client certificates when mutually authenticated TLS is requested. This can lead to impersonation with a certificate issued to a server. Scenario An operations engineer enables mTLS on the admin endpoin...
Astra Linux - уязвимость в golang-1.19
Large handshake records can cause panics in the crypto/TLS context. Both clients and servers may send large TLS handshake records, which can cause both servers and clients to panic when attempting to construct responses. This issue affects all TLS 1.3 clients, TLS 1.2 clients that explicitly enab...
PT-2026-42202
The ocaml-TLS 1.3 client does not validate the KeyUsage and ExtendedKeyUsage extensions of the server certificate. This can lead to impersonation with a certificate issued to a client. Scenario Every employee at a major bank carries a smart card. The card holds a clientAuth certificate issued by...
Astra Linux - уязвимость в python3.7, python2.7, pypy
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers such as HTTP servers that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is...
Astra Linux - уязвимость в erlang
In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS...
Improper Certificate Validation
Caddy is vulnerable to Improper Certificate Validation. The vulnerability is due to swallowed errors in ClientAuthentication.provision, where failures loading trustedcacertfile or trustedcacertspemfiles are ignored, causing mTLS authentication to fail open and accept any client certificate signed...
EUVD-2026-26413
CVE-2026-33446 is a buffer overflow in the authentication sub-system of the Secure Access client prior to 14.50. Attackers with control of a modified server can send a special packet that can overwrite a small portion of memory conceivably leading to memory corruption or a denial of service...
CVE-2026-33446 Buffer overflow in client authentication prior to version 14.50
CVE-2026-33446 is a buffer overflow in the authentication sub-system of the Secure Access client prior to 14.50. Attackers with control of a modified server can send a special packet that can overwrite a small portion of memory conceivably leading to memory corruption or a denial of service...
PT-2026-36168
Name of the Vulnerable Software and Affected Versions Secure Access client versions prior to 14.50 Description A buffer overflow exists in the authentication sub-system. Attackers controlling a modified server can send a specially crafted packet to overwrite a small portion of memory, which may...
Apache Storm's Improper Handling of TLS Client Authentication Failure Leads to Anonymous Principal Assignment
Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm Versions Affected: up to 2.8.7 Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication the default configuration, the...
GHSA-J2Q8-XX3Q-8FQH Apache Storm's Improper Handling of TLS Client Authentication Failure Leads to Anonymous Principal Assignment
Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm Versions Affected: up to 2.8.7 Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication the default configuration, the...
CVE-2026-41081
CVE-2026-41081 : In Apache Storm, TLS transport with default config (client certs not required) can assign a fallback principal CN=ANONYMOUS when a client certificate is missing or verification fails, because SSLPeerUnverifiedException is caught and connection is not rejected. This “fail-open” ca...
EUVD-2026-25848
Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm Versions Affected: up to 2.8.7 Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication the default configuration, the...
CVE-2026-41081
Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm Versions Affected: up to 2.8.7 Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication the default configuration, the...
CVE-2026-41081 Apache Storm Client: Anonymous principal assigned on TLS client certificate verification failure
Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm Versions Affected: up to 2.8.7 Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication the default configuration, the...
PT-2026-35414
Improper Handling of TLS Client Authentication Failure Leading to Anonymous Principal Assignment in Apache Storm Versions Affected: up to 2.8.7 Description: When TLS transport is enabled in Apache Storm without requiring client certificate authentication the default configuration, the...