CVE-2026-27137
Certificate Chain Verification Flaw in Go Causes Constraint Bypass
Publication date: 2026-03-06
Last updated on: 2026-04-21
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | go | 1.26.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs when verifying a certificate chain that includes a certificate with multiple email address constraints. If these constraints share the same local part of the email address but have different domain parts, the verification process does not apply all constraints correctly and only considers the last constraint.
How can this vulnerability impact me? :
Because the verification process ignores all but the last email address constraint in certain certificates, it may allow certificates that should be restricted by earlier constraints to be accepted. This could lead to improper validation of certificates, potentially allowing unauthorized entities to be trusted.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know