CVE-2026-35563
LDAP Client Missing Hostname Verification in Apache LDAP API
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | ldap_client | 2.1.7 |
| apache | directory_ldap_api | From 2.0.0 (inc) to 2.1.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-297 | The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the LDAP client implementation version 2.1.7, where the client does not verify if the server's certificate matches the intended LDAP hostname.
Although the certificate chain is validated against a trusted authority, the lack of endpoint identification means a valid certificate issued for a different host can be accepted improperly.
This flaw allows an attacker with man-in-the-middle (MITM) capabilities to impersonate the LDAP server and compromise the connection.
How can this vulnerability impact me? :
The vulnerability can lead to server impersonation and complete compromise of the LDAP connection.
An attacker with MITM capability who can present a certificate trusted by the client's trust store can exploit this to intercept or manipulate sensitive data transmitted over the connection.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the LDAP client implementation to a version that enforces hostname verification in the TLS server identity check.
Ensure that the LDAP client properly verifies that the server certificate matches the intended LDAP hostname to prevent server impersonation.
Since the attacker requires man-in-the-middle capability and a trusted certificate, restricting network access and monitoring for suspicious certificates can also help reduce risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows server impersonation and complete connection compromise due to the LDAP client not verifying if the server certificate matches the intended LDAP hostname. This can lead to unauthorized access or interception of sensitive data during LDAP communications.
Such a security flaw could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive personal and health information during transmission. The risk of man-in-the-middle attacks exploiting this vulnerability may result in data breaches or unauthorized data disclosure, thereby violating these regulations' requirements for data confidentiality and integrity.