CVE-2026-32883
OCSP Signature Verification Bypass in Botan Library Causes Validation Risk
Publication date: 2026-03-30
Last updated on: 2026-04-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| botan_project | botan | From 3.0.0 (inc) to 3.11.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Botan C++ cryptography library versions from 3.0.0 up to but not including 3.11.0. During the validation of X509 certificate paths, the library checked the status code of OCSP (Online Certificate Status Protocol) responses but failed to verify the signature on the OCSP response itself. This means that the authenticity of the OCSP response was not confirmed, potentially allowing an attacker to use forged or tampered OCSP responses.
How can this vulnerability impact me? :
Because the signature on OCSP responses was not verified, an attacker could provide a fake OCSP response indicating that a revoked or invalid certificate is still valid. This could lead to acceptance of untrusted or malicious certificates during TLS or other cryptographic operations, potentially enabling man-in-the-middle attacks or other security breaches.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability in Botan versions from 3.0.0 to before 3.11.0 involves improper verification of OCSP response signatures during X509 path validation.
To mitigate this vulnerability, you should upgrade Botan to version 3.11.0 or later, where the issue has been patched.