cryptography
Behoben in
46.0.7
46.0.6
CVE-2026-34073 is a medium-severity vulnerability affecting the cryptography Python library versions up to 46.0.5. This flaw allows a peer to bypass DNS name constraints during certificate validation, potentially enabling man-in-the-middle attacks. The vulnerability stems from an incomplete validation of DNS names against Name Constraints in certificates. A fix is available in version 46.0.6.
This vulnerability allows an attacker to validate a certificate against a wildcard certificate even when a Name Constraint explicitly excludes the target domain. For example, an attacker could use a certificate for *.example.com to validate a connection to bar.example.com even if bar.example.com is excluded in the certificate's Name Constraint. This can lead to man-in-the-middle attacks, where an attacker intercepts and potentially modifies communications between a client and a server. The impact is particularly severe in environments where certificate validation is critical for security, such as financial transactions or secure communication channels. The lack of proper validation opens the door to unauthorized access and data compromise.
CVE-2026-34073 was publicly disclosed on 2026-03-27. No public proof-of-concept (PoC) code has been released as of this writing. The EPSS score is currently pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
Applications and systems relying on the cryptography library for secure communication, particularly those using wildcard certificates or relying on Name Constraints for enhanced security, are at risk. This includes web applications, APIs, and any system performing TLS/SSL connections where certificate validation is a critical security control.
• python / library:
import cryptography
print(cryptography.__version__)• python / library: Check for versions <= 46.0.5 using pip:
pip show cryptography• generic web: Inspect TLS handshake logs for unusual certificate validation patterns or connections to unexpected domains.
disclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade to cryptography version 46.0.6 or later. If upgrading is not immediately feasible, consider implementing stricter DNS validation policies at the network level to prevent connections to untrusted domains. While not a direct fix, using a Web Application Firewall (WAF) that can inspect TLS connections and enforce certificate validation policies can provide an additional layer of defense. Thoroughly review certificate validation configurations and ensure that Name Constraints are correctly defined and enforced to minimize the attack surface. After upgrade, confirm validation by attempting a connection to a domain with a Name Constraint and verifying that the connection fails as expected.
Aktualisieren Sie die cryptography-Bibliothek auf Version 46.0.6 oder höher. Dies behebt die unvollständige Validierung von DNS-Namensbeschränkungen in Peer-Namen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34073 is a vulnerability in the cryptography Python library that allows a peer to bypass DNS name constraints during certificate validation, potentially enabling man-in-the-middle attacks.
You are affected if you are using cryptography versions 46.0.5 or earlier. Upgrade to version 46.0.6 or later to mitigate the risk.
Upgrade to cryptography version 46.0.6 or later. If upgrading is not possible, consider implementing stricter DNS validation policies.
As of now, there is no confirmed active exploitation of CVE-2026-34073, but the vulnerability is publicly known.
Refer to the cryptography project's security advisories on their official website or GitHub repository for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.