CVE-2026-35563
Analyzed Analyzed - Analysis Complete
LDAP Client Missing Hostname Verification in Apache LDAP API

Publication date: 2026-06-01

Last updated on: 2026-06-03

Assigner: Apache Software Foundation

Description
It was identified that the LDAP client implementation in version 2.1.7 does not verify if the server certificate matches the intended LDAP hostname. While the underlying code validates the certificate chain against a trusted authority, the absence of endpoint identification allows a valid certificate issued for an entirely unrelated host to be improperly accepted. This oversight leaves the connection highly vulnerable to server impersonation and complete connection compromise. The root cause of this vulnerability lies in the incomplete TLS server identity verification within the LDAP client implementation. The attacker requires MITM capability on the network to exploit this vulnerability. This attacker must be able to present a certificate trusted by the client's configured trust store. The hostname verification has been enforced in the new version of the LDAP API
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-03
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-35563
EUVD
EUVD-2026-33569
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache directory_ldap_api From 2.0.0 (inc) to 2.1.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-297 The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the LDAP client implementation version 2.1.7, where the client does not verify if the server's certificate matches the intended LDAP hostname.

Although the certificate chain is validated against a trusted authority, the lack of endpoint identification means a valid certificate issued for a different host can be accepted improperly.

This flaw allows an attacker with man-in-the-middle (MITM) capabilities to impersonate the LDAP server and compromise the connection.

Impact Analysis

The vulnerability can lead to server impersonation and complete compromise of the LDAP connection.

An attacker with MITM capability who can present a certificate trusted by the client's trust store can exploit this to intercept or manipulate sensitive data transmitted over the connection.

Mitigation Strategies

To mitigate this vulnerability, upgrade the LDAP client implementation to a version that enforces hostname verification in the TLS server identity check.

Ensure that the LDAP client properly verifies that the server certificate matches the intended LDAP hostname to prevent server impersonation.

Since the attacker requires man-in-the-middle capability and a trusted certificate, restricting network access and monitoring for suspicious certificates can also help reduce risk.

Compliance Impact

The vulnerability allows server impersonation and complete connection compromise due to the LDAP client not verifying if the server certificate matches the intended LDAP hostname. This can lead to unauthorized access or interception of sensitive data during LDAP communications.

Such a security flaw could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive personal and health information during transmission. The risk of man-in-the-middle attacks exploiting this vulnerability may result in data breaches or unauthorized data disclosure, thereby violating these regulations' requirements for data confidentiality and integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35563. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart