Platform
python
Component
rfc3161-client
Fixed in
1.0.7
1.0.6
CVE-2026-33753 describes an authorization bypass vulnerability within the rfc3161-client Python library. This flaw allows attackers to impersonate a trusted TimeStamping Authority (TSA), potentially leading to the creation and acceptance of forged timestamps. The vulnerability affects versions of rfc3161-client prior to 1.0.6, and a patch has been released to address the issue.
The core of this vulnerability lies in the library's handling of PKCS#7 certificate bags. An attacker can craft a malicious certificate bag containing a spoofed certificate that matches the target's common_name and Extended Key Usage (EKU) requirements. Due to a logic flaw in the certificate extraction process, the library incorrectly validates the authorization rules against this forged certificate, effectively bypassing the intended security checks. This allows an attacker to generate timestamps that appear to originate from a trusted TSA, potentially compromising the integrity of time-stamped data and enabling fraudulent activities. The impact is particularly severe in scenarios where timestamped data is used for non-repudiation or regulatory compliance.
CVE-2026-33753 was publicly disclosed on 2026-04-08. The vulnerability's complexity is relatively low, making it potentially accessible to a wider range of attackers. There is no indication of active exploitation campaigns at this time, but the availability of the vulnerability details increases the risk of future exploitation. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.00% (0% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33753 is to upgrade to version 1.0.6 or later of the rfc3161-client library. If upgrading is not immediately feasible, consider implementing stricter validation of timestamps received from external sources. This could involve verifying the TSA's certificate chain and ensuring that the timestamp's EKU matches the expected usage. Additionally, review any applications using rfc3161-client to identify potential attack surfaces and implement compensating controls where possible. After upgrading, confirm the fix by attempting to generate a timestamp with a forged certificate and verifying that the library rejects it.
Update the rfc3161-client library to version 1.0.6 or higher to fix the authorization bypass vulnerability. This version implements more robust certificate validation, preventing the manipulation and use of forged certificates for timestamping.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33753 is a medium-severity authorization bypass vulnerability in the rfc3161-client Python library, allowing attackers to impersonate trusted TimeStamping Authorities.
You are affected if you are using rfc3161-client versions 1.0.5 or earlier. Upgrade to 1.0.6 or later to mitigate the risk.
Upgrade to version 1.0.6 or later of the rfc3161-client library using pip: pip install rfc3161-client==1.0.6.
There is currently no evidence of active exploitation, but the vulnerability details are public, increasing the risk of future attacks.
Refer to the project's repository or associated security mailing lists for the official advisory. Check PyPI for the updated package.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.