CVE-2026-34582

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-34582

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-34582.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-34582

Aliases

GHSA-pxcj-9ppx-g86g

Downstream

DEBIAN-CVE-2026-34582

Published

2026-04-07T21:13:49.281Z

Modified

2026-04-09T11:45:19.111351Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Botan has a TLS 1.3 certificate authentication bypass

Details

Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed prior to the Finished message being received. A server which is attempting to enforce client authentication via certificates can by bypassed by a client which entirely omits Certificate, CertificateVerify, and the Finished message and instead sends application data records. This vulnerability is fixed in 3.11.1.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34582.json",
    "cwe_ids": [
        "CWE-841"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/randombit/botan

Affected ranges

Type

GIT

Repo

https://github.com/randombit/botan

Events

Introduced

Fixed

86d105523def181ae833e3aaaf773b1b0c20dda4

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.11.1"
        }
    ]
}

Affected versions

1.*

1.10.0

1.10.0-rc1

1.10.1

1.11.0

1.11.10

1.11.11

1.11.12

1.11.13

1.11.14

1.11.15

1.11.16

1.11.17

1.11.18

1.11.19

1.11.2

1.11.20

1.11.21

1.11.22

1.11.23

1.11.24

1.11.25

1.11.26

1.11.27

1.11.28

1.11.29

1.11.3

1.11.30

1.11.31

1.11.32

1.11.33

1.11.34

1.11.5

1.11.6

1.11.7

1.11.8

1.11.9

1.5.10

1.5.11

1.5.12

1.5.13

1.5.6

1.5.7

1.5.8

1.5.9

1.6.0

1.6.1

1.7.0

1.7.1

1.7.10

1.7.11

1.7.15

1.7.16

1.7.17

1.7.18

1.7.19

1.7.20

1.7.21

1.7.22

1.7.23

1.7.24

1.7.3

1.7.4

1.7.5

1.7.6

1.7.7

1.7.8

1.7.9

1.8.2

1.8.3

1.8.4

1.8.5

1.8.6

1.8.7

1.8.8

1.9.10

1.9.11

1.9.12

1.9.13

1.9.14

1.9.15

1.9.16

1.9.17

1.9.18

1.9.3

1.9.4

1.9.5

1.9.6

1.9.7

1.9.8

1.9.9

2.*

2.0.0

2.0.1

2.1.0

2.10.0

2.11.0

2.12.0

2.12.1

2.13.0

2.14.0

2.15.0

2.16.0

2.17.0

2.2.0

2.3.0

2.4.0

2.5.0

2.6.0

2.7.0

2.8.0

2.9.0

3.*

3.0.0

3.0.0-alpha0

3.0.0-alpha1

3.0.0-rc1

3.1.0

3.1.1

3.10.0

3.11.0

3.2.0

3.3.0

3.4.0

3.5.0

3.6.0

3.6.1

3.7.0

3.7.1

3.8.0

3.8.1

3.9.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-34582.json"