Platform
c
Component
botan
Fixed in
3.11.1
CVE-2026-34580 is an Authentication Bypass vulnerability discovered in Botan, a C++ cryptography library. This flaw stems from a misleading function name within the certificate validation process, potentially allowing attackers to bypass validation checks. The vulnerability affects Botan versions 3.11.0 and prior to version 3.11.1. A fix is available in Botan 3.11.1.
The core of the vulnerability lies in the CertificateStore::certificateknown function. It incorrectly returned true if any certificate in the store had a matching Distinguished Name (DN), even if the certificates weren't identical. Subsequent path validation logic incorrectly assumed the function only returned true for identical certificates. An attacker could exploit this by presenting a malicious end-entity certificate with a matching DN, bypassing the intended validation and potentially gaining unauthorized access or performing man-in-the-middle attacks. The potential blast radius is significant, as Botan is used in numerous applications and systems requiring secure communication.
CVE-2026-34580 was publicly disclosed on 2026-04-07. There is no indication of active exploitation or a KEV listing at the time of writing. No public proof-of-concept (PoC) code has been released. The vulnerability's impact is primarily theoretical, but the potential for certificate validation bypass warrants careful attention and prompt patching.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
The primary mitigation is to upgrade to Botan version 3.11.1 or later, which corrects the flawed logic in the CertificateStore::certificateknown function. If upgrading is not immediately feasible, consider implementing stricter certificate pinning policies within your applications. While not a complete solution, this can limit the impact of a successful attack. Review your application's certificate validation routines to ensure they are robust and not relying solely on the Botan library's default behavior. There are no specific WAF rules or configuration workarounds available to address this vulnerability directly, as it resides within the library's code.
Update the Botan library to version 3.11.1 or later to mitigate the vulnerability. This update corrects an error in certificate validation that allowed end-entity certificates to be accepted as if they were trusted root certificates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34580 is a vulnerability in Botan 3.11.0 that allows attackers to bypass certificate validation due to a flaw in the CertificateStore::certificateknown function. This can lead to unauthorized access or man-in-the-middle attacks.
You are affected if you are using Botan version 3.11.0 or earlier. Versions prior to 3.11.1 are vulnerable to this authentication bypass.
Upgrade to Botan version 3.11.1 or later to resolve this vulnerability. This corrects the flawed logic in the certificate validation process.
There is currently no indication of active exploitation of CVE-2026-34580. However, the potential for certificate validation bypass warrants prompt patching.
Refer to the Botan project's security advisories and release notes for the official announcement and details regarding CVE-2026-34580: [https://botan.io/](https://botan.io/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.