866 matches found
PT-2026-44799
Name of the Vulnerable Software and Affected Versions OpenShift Router affected versions not specified Description A flaw in the HTTP frontend occurs when a Route has the insecureEdgeTerminationPolicy set to Allow. In this configuration, the router fails to remove X-SSL-Client- headers from...
CVE-2026-32253
Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509VERRUNABLETOGETISSUERCERTLOCALLY,...
Apache Tomcat: Apache Tomcat: Authentication bypass due to CLIENT_CERT soft fail misconfiguration
A flaw was found in Apache Tomcat and Apache Tomcat Native. When CLIENTCERT authentication is configured with "soft fail" disabled, the authentication process may not correctly fail in certain scenarios. This vulnerability could allow an attacker to bypass expected client certificate...
Apache Tomcat: Apache Tomcat: Authentication bypass via client certificate misconfiguration
A flaw was found in Apache Tomcat where OCSP-based certificate validation may incorrectly soft-fail during CLIENTCERT authentication, even when soft-fail is disabled, under certain FFM-related execution paths. This can result in client certificates being accepted despite failed or unverifiable...
Apache Tomcat: Apache Tomcat: Authentication bypass due to CLIENT_CERT soft fail misconfiguration
A flaw was found in Apache Tomcat and Apache Tomcat Native. When CLIENTCERT authentication is configured with "soft fail" disabled, the authentication process may not correctly fail in certain scenarios. This vulnerability could allow an attacker to bypass expected client certificate...
CVE-2026-32253 Sunshine: Authentication bypass via improper client certificate validation
Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509VERRUNABLETOGETISSUERCERTLOCALLY,...
CVE-2026-32253 Sunshine: Authentication bypass via improper client certificate validation
Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509VERRUNABLETOGETISSUERCERTLOCALLY,...
EUVD-2026-31469
Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509VERRUNABLETOGETISSUERCERTLOCALLY,...
PT-2026-42801
Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509 V ERR UNABLE TO GET ISSUER CERT...
Astra Linux – Vulnerability in Golang-1.19
Verifying a certificate chain that contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/TLS clients, as well as servers that have Config.ClientAuth set to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default...
Astra Linux – Vulnerability in PostgresSQL 11
When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries during the initial establishment of a connection, despite the use of SSL certificate verification and encryption...
Astra Linux - уязвимость в tomcat9
CLIENTCERT authentication does not fail as expected in some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: versions from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, and from 9.0.92 through 9.0.116. Users are recommended to...
Astra Linux – Vulnerability in Tomcat9
Improper input validation vulnerability. This issue affects Apache Tomcat: versions 11.0.0-M1 through 11.0.14, 10.1.0-M1 through 10.1.49, and 9.0.0-M1 through 9.0.112. The following versions were at the end of their support lifecycles at the time the CVE was created, but are known to be affected:...
curl: curl cross-origin HTTPS redirect reuses TLS client certificate for unintended second-origin mTLS authentication
Summary: When curl follows an HTTPS redirect to a different origin under normal -L / CURLOPTFOLLOWLOCATION behavior, it still presents the configured TLS client certificate to the redirected-to HTTPS server. This happens without --location-trusted / CURLOPTUNRESTRICTEDAUTH, even though curl alrea...
Amazon Linux 2023 : tomcat9, tomcat9-admin-webapps, tomcat9-el-3.0-api (ALAS2023-2026-1672)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1672 advisory. Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1...
CVE-2026-23998
Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet’s Windows MDM management endpoint could allow requests to be processed without proper client certificate validation. In certain circumstances, this could allow an attacker to impersonate an enrolled...
CVE-2026-23998 Fleet has a Windows MDM management endpoint authentication bypass
Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet’s Windows MDM management endpoint could allow requests to be processed without proper client certificate validation. In certain circumstances, this could allow an attacker to impersonate an enrolled...
PT-2026-40967
Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.81.0 Description A flaw in the Windows MDM management endpoint allows requests to be processed without proper client certificate validation. The endpoint relies on mutual TLS mTLS—a process where both the client and...
SUSE CVE-2024-37082
When deploying Cloud Foundry together with the haproxy-boshrelease and using a non default configuration, it might be possible to craft HTTP requests that bypass mTLS authentication to Cloud Foundry applications. You are affected if you have route-services enabled in routing-release and have...
EUVD-2026-27145
Boundary Community Edition and Boundary Enterprise “Boundary” workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate...