#VU125385 Improper Certificate Validation in Botan - CVE-2026-34580
Published: April 8, 2026
Vulnerability identifier: #VU125385
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-34580
CWE-ID: CWE-295
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Botan
Botan
Software vendor:
Randombit
Randombit
Description
The vulnerability allows a remote attacker to bypass X.509 certificate verification.
The vulnerability exists due to improper certificate validation in Certificate_Store::certificate_known and path validation logic when processing a presented end entity certificate. A remote attacker can present a crafted certificate with a distinguished name and subject key identifier matching a trusted root to bypass X.509 certificate verification.
The issue occurs because the certificate lookup logic treated matching certificate attributes as if the certificates were identical, causing the end entity certificate to be accepted as a trusted root.
Remediation
Install security update from vendor's website.