Main Vulnerability Database Vulnerabilities #VU125384

Improper Enforcement of Behavioral Workflow in Botan - CVE-2026-34582

Published: April 8, 2026

Vulnerability identifier: #VU125384

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-34582

CWE-ID: CWE-841

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Randombit

Affected software:
Botan

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass client certificate authentication.

The vulnerability exists due to improper enforcement of behavioral workflow in the TLS 1.3 implementation when processing ApplicationData records before completion of the handshake. A remote attacker can send application data records before the Finished message to bypass client certificate authentication.

This affects servers attempting to enforce client authentication via certificates, and exploitation involves omitting the Certificate, CertificateVerify, and Finished messages.

How to mitigate CVE-2026-34582

Install security update from vendor's website.

Sources

https://github.com/randombit/botan/security/advisories/GHSA-pxcj-9ppx-g86g

Improper Enforcement of Behavioral Workflow in Botan - CVE-2026-34582

Detailed vulnerability description

How to mitigate CVE-2026-34582

Sources

Please verify you're human