CVE-2026-34582
Received Received - Intake
TLS 1.3 Authentication Bypass in Botan Cryptography Library

Publication date: 2026-04-07

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed prior to the Finished message being received. A server which is attempting to enforce client authentication via certificates can by bypassed by a client which entirely omits Certificate, CertificateVerify, and the Finished message and instead sends application data records. This vulnerability is fixed in 3.11.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34582
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
botan_project botan From 3.0.0 (inc) to 3.11.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-841 The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability is fixed in Botan version 3.11.1. Immediate mitigation involves upgrading the Botan cryptography library to version 3.11.1 or later.

Executive Summary

This vulnerability exists in the Botan C++ cryptography library's TLS 1.3 implementation prior to version 3.11.1. It allows ApplicationData records to be processed before the Finished message is received during a TLS handshake.

Specifically, a server that enforces client authentication via certificates can be bypassed by a client that omits sending the Certificate, CertificateVerify, and Finished messages, and instead sends application data records directly.

This means the client can skip the authentication steps and still have its application data processed, which is a security flaw.

Impact Analysis

This vulnerability can allow an attacker to bypass client authentication on a server using Botan's TLS 1.3 implementation prior to version 3.11.1.

As a result, unauthorized clients could send application data without proving their identity, potentially leading to unauthorized access or data exposure.

This undermines the security guarantees of TLS client authentication and could compromise the confidentiality and integrity of communications.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34582. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart