{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34580", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T16:56:30.999Z", "datePublished": "2026-04-07T21:12:09.604Z", "dateUpdated": "2026-04-09T03:56:10.769Z"}, "containers": {"cna": {"title": "Botan has a certificate authentication bypass due to trust anchor confusion", "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "lang": "en", "description": "CWE-295: Improper Certificate Validation", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/randombit/botan/security/advisories/GHSA-v782-6fq4-q827", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/randombit/botan/security/advisories/GHSA-v782-6fq4-q827"}], "affected": [{"vendor": "randombit", "product": "botan", "versions": [{"version": ">= 3.11.0, < 3.11.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T21:12:09.604Z"}, "descriptions": [{"lang": "en", "value": "Botan is a C++ cryptography library. In 3.11.0, the function Certificate_Store::certificate_known had a misleading name; it would return true if any certificate in the store had a DN (and subject key identifier, if set) matching that of the argument. It did not check that the cert it found and the cert it was passed were actually the same certificate. In 3.11.0 an extension of path validation logic was made which assumed that certificate_known only returned true if the certificates were in fact identical. The impact is that if an end entity certificate is presented, and its DN (and subject key identifier, if set) match that of any trusted root, the end entity certificate is accepted immediately as if it itself were a trusted root. , This vulnerability is fixed in 3.11.1."}], "source": {"advisory": "GHSA-v782-6fq4-q827", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-34580"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T03:56:10.769Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34580", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T15:23:54.611765Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:23:58.256Z"}}], "cna": {"title": "Botan has a certificate authentication bypass due to trust anchor confusion", "source": {"advisory": "GHSA-v782-6fq4-q827", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "randombit", "product": "botan", "versions": [{"status": "affected", "version": ">= 3.11.0, < 3.11.1"}]}], "references": [{"url": "https://github.com/randombit/botan/security/advisories/GHSA-v782-6fq4-q827", "name": "https://github.com/randombit/botan/security/advisories/GHSA-v782-6fq4-q827", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Botan is a C++ cryptography library. In 3.11.0, the function Certificate_Store::certificate_known had a misleading name; it would return true if any certificate in the store had a DN (and subject key identifier, if set) matching that of the argument. It did not check that the cert it found and the cert it was passed were actually the same certificate. In 3.11.0 an extension of path validation logic was made which assumed that certificate_known only returned true if the certificates were in fact identical. The impact is that if an end entity certificate is presented, and its DN (and subject key identifier, if set) match that of any trusted root, the end entity certificate is accepted immediately as if it itself were a trusted root. , This vulnerability is fixed in 3.11.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-295", "description": "CWE-295: Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T21:12:09.604Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34580", "state": "PUBLISHED", "dateUpdated": "2026-04-08T15:24:01.286Z", "dateReserved": "2026-03-30T16:56:30.999Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T21:12:09.604Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:botan_project:botan:3.11.0:*:*:*:*:*:*:*", "matchCriteriaId": "6EEE0045-C0B8-4412-A171-138CB5039475", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Botan is a C++ cryptography library. In 3.11.0, the function Certificate_Store::certificate_known had a misleading name; it would return true if any certificate in the store had a DN (and subject key identifier, if set) matching that of the argument. It did not check that the cert it found and the cert it was passed were actually the same certificate. In 3.11.0 an extension of path validation logic was made which assumed that certificate_known only returned true if the certificates were in fact identical. The impact is that if an end entity certificate is presented, and its DN (and subject key identifier, if set) match that of any trusted root, the end entity certificate is accepted immediately as if it itself were a trusted root. , This vulnerability is fixed in 3.11.1."}], "id": "CVE-2026-34580", "lastModified": "2026-04-17T20:30:02.877", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T22:16:22.647", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/randombit/botan/security/advisories/GHSA-v782-6fq4-q827"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "Botan: Botan: Certificate validation bypass due to incorrect certificate matching", "id": "2456288", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456288"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-295", "details": ["A flaw was found in Botan, a C++ cryptography library. Due to a misleading function name and an assumption in path validation logic, an end entity certificate could be incorrectly accepted as a trusted root. This occurs when the end entity certificate's Distinguished Name (DN) and Subject Key Identifier (SKI) match those of any trusted root certificate in the store, even if the certificates are not identical. This vulnerability allows for a bypass of certificate validation, potentially enabling an attacker to present a malicious certificate that is trusted by the system."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-34580", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rust-sequoia-sq", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rust-sequoia-sqv", "product_name": "Red Hat Enterprise Linux 10"}], "public_date": "2026-04-07T21:12:09Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34580\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34580\nhttps://github.com/randombit/botan/security/advisories/GHSA-v782-6fq4-q827"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.11.0,3.11.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "botan", "source": "cna", "vendor": "randombit"}, "product": "botan", "vendor": "randombit"}], "analysis": {"en": {"generated_at": "2026-04-07T23:14:32.350506+00:00", "value": {"mitigation_remediation": ["Upgrade Botan to version 3.11.1 or newer.", "Rebuild all applications that link to Botan.", "Verify that the new library is in use before restarting services."], "summary": {"action": "Immediate Patch", "impact": "Trust Anchor Bypass"}, "threat_synthesis": {"affected_systems": "Systems that incorporate the randombit Botan cryptographic library, specifically version 3.11.0. Applications built against Botan 3.11.0 for TLS, SSL, or other cryptographic operations are vulnerable. The issue has been fixed in Botan 3.11.1, so any deployment using an older 3.11.0 build is at risk.", "description_and_impact": "Botan\u2019s Certificate_Store::certificate_known function returns true when a certificate\u2019s distinguished name (DN) and optional subject key identifier match any certificate already in the trusted store, but it does not verify that the matched certificate is the exact same instance. When the path\u2011validation logic was extended in version 3.11.0, it incorrectly assumed that certificate_known only confirmed identity. As a result, an end\u2011entity certificate with the same DN (and subject key identifier, if any) as a trusted root is accepted immediately as a trusted root. This bypassing of trust chain validation permits an attacker to present a forged or malicious certificate to an application that uses Botan 3.11.0, effectively granting the attacker the same privileges as a root certificate authority. The weakness is classified as CWE\u2011295, Authentication Bypass via Certificate Trust.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 9.3, indicating critical severity. Although EPSS data is not provided, the lack of a KEV listing suggests no widespread exploitation yet. An attacker would need to supply a certificate that shares the distinguished name, and optionally the subject key identifier, of an existing trusted root. When such a certificate is presented to a Botan 3.11.0 application\u2014for example, during a TLS handshake or client\u2011certificate authentication\u2014the library mistakenly accepts it as a self\u2011trusted root. The resulting compromise allows the attacker to present forged certificates, intercept or alter secure communications, and potentially elevate privileges. The library\u2019s internal assumption called out by CWEs: Authentication Bypass via Trust Anchor."}}}}, "created": "2026-04-08T19:34:10.983625+00:00", "updated": "2026-04-08T19:45:37.275408+00:00", "vendors": ["randombit", "randombit$PRODUCT$botan"]}