SB2026061839 - Improper Certificate Validation in Cpp-httplib

Description

This security bulletin contains information about 1 vulnerability.

1) Improper Certificate Validation (CVE-ID: CVE-2026-54919)

CWE-ID: CWE-295 - Improper Certificate Validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information and modify transmitted data.

The vulnerability exists due to improper certificate validation in the TLS certificate verification logic of SSLClient, Client in HTTPS mode, and WebSocketClient when connecting to IP-literal hosts over the Mbed TLS or wolfSSL backends. A remote attacker can present a crafted certificate during a man-in-the-middle attack to disclose sensitive information and modify transmitted data.

Only builds using the Mbed TLS or wolfSSL backends are affected, and the issue occurs when connecting to a host specified as an IP literal rather than a DNS hostname.

Remediation

Install update from vendor's website.

References

• https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-8ffh-4p95-g3p2
• https://github.com/yhirose/cpp-httplib/commit/fa981cedae004ea9d946f1392b9dec22fac6fee6