Improper Certificate Validation in Cpp-httplib - CVE-2026-54919
Published: June 18, 2026
Vulnerability identifier: #VU134853
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-54919
CWE-ID: CWE-295
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cpp-httplib Project
Affected software:
Cpp-httplib
Cpp-httplib
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information and modify transmitted data.
The vulnerability exists due to improper certificate validation in the TLS certificate verification logic of SSLClient, Client in HTTPS mode, and WebSocketClient when connecting to IP-literal hosts over the Mbed TLS or wolfSSL backends. A remote attacker can present a crafted certificate during a man-in-the-middle attack to disclose sensitive information and modify transmitted data.
Only builds using the Mbed TLS or wolfSSL backends are affected, and the issue occurs when connecting to a host specified as an IP literal rather than a DNS hostname.
How to mitigate CVE-2026-54919
Install security update from vendor's website.