Platform
python
Component
cryptography
Fixed in
46.0.7
46.0.6
CVE-2026-34073 is a medium-severity vulnerability affecting the cryptography Python library versions up to 46.0.5. This flaw allows a peer to bypass DNS name constraints during certificate validation, potentially enabling man-in-the-middle attacks. The vulnerability stems from an incomplete validation of DNS names against Name Constraints in certificates. A fix is available in version 46.0.6.
This vulnerability allows an attacker to validate a certificate against a wildcard certificate even when a Name Constraint explicitly excludes the target domain. For example, an attacker could use a certificate for *.example.com to validate a connection to bar.example.com even if bar.example.com is excluded in the certificate's Name Constraint. This can lead to man-in-the-middle attacks, where an attacker intercepts and potentially modifies communications between a client and a server. The impact is particularly severe in environments where certificate validation is critical for security, such as financial transactions or secure communication channels. The lack of proper validation opens the door to unauthorized access and data compromise.
CVE-2026-34073 was publicly disclosed on 2026-03-27. No public proof-of-concept (PoC) code has been released as of this writing. The EPSS score is currently pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to cryptography version 46.0.6 or later. If upgrading is not immediately feasible, consider implementing stricter DNS validation policies at the network level to prevent connections to untrusted domains. While not a direct fix, using a Web Application Firewall (WAF) that can inspect TLS connections and enforce certificate validation policies can provide an additional layer of defense. Thoroughly review certificate validation configurations and ensure that Name Constraints are correctly defined and enforced to minimize the attack surface. After upgrade, confirm validation by attempting a connection to a domain with a Name Constraint and verifying that the connection fails as expected.
Update the cryptography library to version 46.0.6 or higher. This will correct the incomplete validation of DNS name constraints in peer names.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34073 is a vulnerability in the cryptography Python library that allows a peer to bypass DNS name constraints during certificate validation, potentially enabling man-in-the-middle attacks.
You are affected if you are using cryptography versions 46.0.5 or earlier. Upgrade to version 46.0.6 or later to mitigate the risk.
Upgrade to cryptography version 46.0.6 or later. If upgrading is not possible, consider implementing stricter DNS validation policies.
As of now, there is no confirmed active exploitation of CVE-2026-34073, but the vulnerability is publicly known.
Refer to the cryptography project's security advisories on their official website or GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.