CVE-2026-33753
Authorization Bypass in rfc3161-client via PKCS#7 Certificate Parsing
Publication date: 2026-04-08
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trailofbits | rfc3161-client | to 1.0.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33753 is an Authorization Bypass vulnerability in the Python library rfc3161-client, which implements the Time-Stamp Protocol (TSP). The flaw exists in how the library selects the leaf certificate from a PKCS#7 certificate bag during signature verification. The library uses a naive method that can be tricked by an attacker who appends a spoofed certificate with the expected Common Name (CN) and Extended Key Usage (EKU) to the certificate bag.
This spoofed certificate passes the authorization checks, while the cryptographic signature is still verified against a legitimate trusted TimeStamping Authority (TSA) certificate. This mismatch causes a trust boundary confusion, allowing an attacker to impersonate a trusted TSA without needing privileges or user interaction.
The vulnerability is fixed in version 1.0.6 of rfc3161-client.
How can this vulnerability impact me? :
This vulnerability allows an attacker to impersonate a trusted TimeStamping Authority (TSA) by bypassing authorization checks in the rfc3161-client library. As a result, an attacker can forge trusted timestamps that appear to come from a legitimate TSA.
The impact is high for applications relying on rfc3161-client for TSA origin verification, especially those using certificate pinning or CN checks to validate timestamps. Attackers can create forged timestamps that are accepted as valid, potentially undermining the integrity of time-stamped data.
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Confidentiality Impact: None
- Integrity Impact: High (forged trusted timestamps)
- Availability Impact: None
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying usage of the rfc3161-client Python package with versions prior to 1.0.6, as these versions contain the flawed certificate verification logic.
Since the vulnerability is in how the library processes PKCS#7 SignedData timestamp responses, detection can include inspecting timestamp responses for injected spoofed certificates or anomalous certificate chains.
Commands to detect vulnerable versions or suspicious timestamp responses might include:
- Checking installed package version: `pip show rfc3161-client` or `pip list | grep rfc3161-client`
- Monitoring network traffic for TimeStampResponse messages and extracting PKCS#7 certificates for manual inspection using OpenSSL commands such as: `openssl pkcs7 -in timestamp_response.p7s -print_certs -text -noout`
- Using custom scripts or tools to parse and verify the certificate bag in timestamp responses to detect presence of spoofed or dummy certificates as described in the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the rfc3161-client Python package to version 1.0.6 or later, where the vulnerability has been fixed.
If upgrading immediately is not possible, consider implementing additional validation of timestamp responses outside of the vulnerable library, such as verifying ESSCertID or ESSCertIDv2 bindings manually.
Avoid relying solely on common name (CN) or Extended Key Usage (EKU) checks for authorization and ensure cryptographic bindings are properly validated.
Monitor for suspicious timestamp responses that may contain injected spoofed certificates and restrict access to trusted TimeStamping Authorities.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to impersonate a trusted TimeStamping Authority (TSA) by bypassing authorization checks in the rfc3161-client library. This can lead to the forging of trusted timestamps, which compromises the integrity of timestamped data.
Since timestamping is often used to prove the authenticity and integrity of data, this flaw could undermine compliance with standards and regulations that require strong data integrity and non-repudiation guarantees, such as GDPR and HIPAA.
Specifically, the ability to forge trusted timestamps may affect the reliability of audit trails, digital signatures, and other security controls that rely on accurate timestamping, potentially leading to violations of regulatory requirements for data integrity and authenticity.