CVE-2026-34580
Certificate Validation Bypass in Botan 3.11.0 Cryptography Library
Publication date: 2026-04-07
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| botan_project | botan | 3.11.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Botan C++ cryptography library version 3.11.0. The function Certificate_Store::certificate_known had a misleading name and behavior: it returned true if any certificate in the store had a Distinguished Name (DN) and subject key identifier matching those of the certificate passed as an argument, without verifying that the certificates were actually identical.
Because of this, an extension of path validation logic assumed that certificate_known only returned true if the certificates were identical. This flaw allowed an attacker to present an end entity certificate that matched the DN and subject key identifier of a trusted root certificate, causing the system to accept the end entity certificate immediately as if it were a trusted root.
This vulnerability was fixed in Botan version 3.11.1.
How can this vulnerability impact me? :
The vulnerability can lead to a serious security impact where an attacker can present a certificate that is not actually trusted but has the same DN and subject key identifier as a trusted root certificate.
Because the system incorrectly accepts this certificate as a trusted root, it can allow unauthorized access, bypass authentication, or enable man-in-the-middle attacks by making malicious certificates appear trusted.
This undermines the trust model of certificate validation and can compromise the confidentiality, integrity, and authenticity of communications relying on Botan for cryptographic operations.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in Botan version 3.11.1. The immediate step to mitigate this vulnerability is to upgrade the Botan cryptography library to version 3.11.1 or later.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability in Botan's certificate validation logic could lead to the acceptance of an end entity certificate as a trusted root certificate if it shares the same distinguished name and subject key identifier. This misidentification can undermine the trustworthiness of cryptographic operations relying on Botan, potentially compromising the integrity and authenticity of secure communications.
Such a compromise may affect compliance with security requirements in common standards and regulations like GDPR and HIPAA, which mandate strong protections for data confidentiality and integrity. If cryptographic validation is flawed, it could lead to unauthorized access or data breaches, thereby violating these regulations' security controls.
However, the provided information does not explicitly detail the direct impact on compliance frameworks or specific regulatory consequences.