CVE-2026-54919
Received Received - Intake

SSL Certificate Validation Bypass in cpp-httplib

Vulnerability report for CVE-2026-54919, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In affected Mbed TLS backend versions from 0.31.0 through 0.46.1 and wolfSSL backend versions from 0.33.0 through 0.46.1, when cpp-httplib is built with CPPHTTPLIB_MBEDTLS_SUPPORT or CPPHTTPLIB_WOLFSSL_SUPPORT and a client connects to an IP-literal host with server certificate verification enabled, SSLClient and Client in HTTPS mode skip certificate chain validation and WebSocketClient on the Mbed TLS backend skips verification altogether, allowing a man-in-the-middle attacker positioned to intercept traffic to present a crafted certificate and read or modify the traffic. This issue is fixed in version 0.47.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
cpp-httplib cpp-httplib 0.47.0
mbed_tls mbed_tls From 0.31.0 (inc) to 0.46.1 (inc)
wolfssl wolfssl From 0.33.0 (inc) to 0.46.1 (inc)
yhirose cpp-httplib From 0.31.0 (inc) to 0.47.0 (exc)
yhirose cpp-httplib From 0.33.0 (inc) to 0.47.0 (exc)
yhirose cpp-httplib From 0.46.1 (inc) to 0.47.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-54919 is a vulnerability in the cpp-httplib C++ HTTP/HTTPS library versions 0.31.0 through 0.46.1 when built with Mbed TLS or wolfSSL backends. When connecting to an IP-literal host with server certificate verification enabled, the library improperly skips certificate chain validation. Specifically, SSLClient and Client in HTTPS mode skip certificate chain validation, and WebSocketClient on the Mbed TLS backend skips verification entirely. This allows a man-in-the-middle attacker to present a crafted certificate and intercept, read, or modify the traffic.

The issue arises because the library only checks if the certificate's Subject Alternative Name (SAN) matches the IP address, but does not validate the certificate chain against trusted Certificate Authorities. This bypasses important security checks and enables attackers to use untrusted or self-signed certificates.

This vulnerability was fixed in version 0.47.0, where certificate chain verification is enforced for IP-literal hosts, and other improvements such as disabling SNI for IP hosts per RFC 6066 were implemented.

Compliance Impact

This vulnerability allows a man-in-the-middle attacker to intercept and modify HTTPS traffic by bypassing certificate chain validation when connecting to IP-literal hosts. Such interception can lead to unauthorized access to sensitive data transmitted over the network.

Because the vulnerability compromises confidentiality and integrity of communications, it can negatively impact compliance with data protection standards and regulations such as GDPR and HIPAA, which require secure transmission of personal and sensitive information.

Failure to properly validate SSL/TLS certificates and protect data in transit may result in violations of these regulations, potentially leading to legal and financial consequences.

Impact Analysis

This vulnerability can allow a man-in-the-middle attacker to intercept and manipulate HTTPS traffic between a client using cpp-httplib and an IP-literal host. Because the certificate chain validation is bypassed, an attacker can present a crafted or self-signed certificate that appears valid to the client.

The impact includes unauthorized disclosure of sensitive information (confidentiality) and unauthorized modification of data (integrity). However, availability is not affected.

  • An attacker positioned to intercept traffic can read or modify the data exchanged.
  • Users may be tricked into trusting malicious servers due to improper certificate validation.
  • Applications relying on cpp-httplib for secure communications to IP addresses are at risk until they upgrade to version 0.47.0 or apply mitigations.
Detection Guidance

This vulnerability occurs when cpp-httplib versions 0.31.0 through 0.46.1 are built with Mbed TLS or wolfSSL support and connect to IP-literal hosts with server certificate verification enabled. Detection involves identifying usage of these vulnerable versions and configurations.

To detect exploitation attempts or presence of the vulnerability on your network or system, you can monitor HTTPS connections to IP-literal hosts (e.g., direct IP addresses instead of DNS names) made by applications using cpp-httplib with Mbed TLS or wolfSSL backends.

Suggested commands include network traffic inspection tools to identify suspicious man-in-the-middle activity or certificate anomalies:

  • Use tcpdump or Wireshark to capture and analyze TLS handshake traffic to IP addresses, looking for unusual or self-signed certificates.
  • Example tcpdump command: tcpdump -i <interface> 'tcp port 443 and host <IP-literal>' -w capture.pcap
  • Use OpenSSL s_client to manually verify certificates presented by IP-literal hosts: openssl s_client -connect <IP>:443 -servername <IP>

Additionally, check the version of cpp-httplib used in your environment and whether it is built with Mbed TLS or wolfSSL support, as these are prerequisites for the vulnerability.

Mitigation Strategies

The primary mitigation is to upgrade cpp-httplib to version 0.47.0 or later, where the vulnerability is fixed by enforcing certificate chain verification for IP-literal hosts and disabling SNI for IP hosts as per RFC 6066.

If upgrading immediately is not possible, consider the following workarounds:

  • Use the OpenSSL backend instead of Mbed TLS or wolfSSL, as it is not affected by this vulnerability.
  • Avoid connecting to IP-literal hosts; instead, use DNS hostnames which remain secure.
  • Pin hostnames to fixed IP addresses using the WebSocketClient::set_hostname_addr_map() method to preserve hostname verification.

Also, review your client configurations to ensure server certificate verification is enabled and properly enforced.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54919. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart