#VU125338 Improper Certificate Validation in python-cryptography - CVE-2026-34073
Published: April 8, 2026
Vulnerability identifier: #VU125338
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-34073
CWE-ID: CWE-295
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
python-cryptography
python-cryptography
Software vendor:
Python Cryptographic Authority
Python Cryptographic Authority
Description
The vulnerability allows a remote attacker to bypass certificate name constraints validation.
The vulnerability exists due to improper certificate validation in the X.509 certificate validation logic when validating a peer name against a wildcard SAN certificate chain. A remote attacker can present a crafted certificate chain to bypass certificate name constraints validation.
Exploitation requires an uncommon X.509 topology involving an excluded subtree constraint that matches the peer name.
Remediation
Install security update from vendor's website.