Main Vulnerability Database Vulnerabilities #VU134284

Improper Certificate Validation in OpenSSL - CVE-2026-42769

Published: June 10, 2026

Vulnerability identifier: #VU134284

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-42769

CWE-ID: CWE-295

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenSSL Software Foundation

Affected software:
OpenSSL

Detailed vulnerability description

The vulnerability allows a remote user to replace the root CA certificate trusted by CMP clients.

The vulnerability exists due to improper certificate validation in OSSL_CMP_get1_rootCaKeyUpdate() when processing id-it-rootCaKeyUpdate CMP messages. A remote user can send a crafted CMP root CA key update message to replace the root CA certificate trusted by CMP clients.

Exploitation requires credentials that satisfy the CMP message protection checks.

How to mitigate CVE-2026-42769

Install security update from vendor's website.

Sources

https://openssl-library.org/news/secadv/20260609.txt

Improper Certificate Validation in OpenSSL - CVE-2026-42769

Detailed vulnerability description

How to mitigate CVE-2026-42769

Sources

Please verify you're human