Platform
openssl
Component
openssl
Fixed in
3.6.2
CVE-2026-34054 is a high-severity vulnerability affecting OpenSSL versions up to 3.6.1#3 within the vcpkg package manager. This issue arises from an incorrect configuration during the Windows build process, where the openssldir path is set to a location on the build machine, potentially exposing it to attacks on customer systems. The vulnerability is patched in version 3.6.1#3, and users are strongly advised to upgrade.
The core of the vulnerability lies in the improper setting of the openssldir variable during the Windows build of OpenSSL by vcpkg. This variable dictates the location where OpenSSL stores its configuration files and certificates. By default, it should point to a secure, system-managed location. However, the flawed vcpkg build process sets it to a path on the build machine, effectively making that path accessible and potentially exploitable on customer machines that deploy applications built with the vulnerable vcpkg version. An attacker could potentially gain access to sensitive data stored within the OpenSSL configuration, or even leverage this access to execute arbitrary code, depending on the application's interaction with OpenSSL. This could lead to data breaches, system compromise, and denial of service.
This vulnerability is not currently listed on the CISA KEV catalog. The EPSS score is likely to be low to medium, given the requirement for access to the build environment and the potential complexity of exploiting the misconfigured openssldir. No public proof-of-concept exploits have been publicly released as of the publication date. The vulnerability was disclosed on 2026-03-31.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34054 is to upgrade vcpkg to version 3.6.1#3 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider isolating the vulnerable vcpkg installation to a separate environment. While not a complete solution, restricting network access to the build machine can limit the potential attack surface. Monitor OpenSSL configuration files for unexpected changes. There are no specific WAF or proxy rules that can directly address this vulnerability, as it's a build-time configuration issue. After upgrading vcpkg, verify the openssldir path within the OpenSSL configuration to ensure it points to a secure, system-managed location.
Update vcpkg to version 3.6.1#3 or later. This ensures that OpenSSL builds on Windows are not vulnerable to path manipulation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34054 is a high-severity vulnerability in vcpkg's Windows builds of OpenSSL where the openssldir path is incorrectly set, potentially exposing customer machines to attacks.
You are affected if you are using vcpkg on Windows with OpenSSL versions equal to or less than 3.6.1#3.
Upgrade vcpkg to version 3.6.1#3 or later to resolve this vulnerability. Consider isolating the vulnerable installation if an immediate upgrade is not possible.
As of the publication date, there is no confirmed active exploitation of CVE-2026-34054, but it's crucial to apply the patch proactively.
Refer to the vcpkg project's official release notes and security advisories for detailed information and updates regarding CVE-2026-34054.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.