Platform
cpp
Component
botan
Fixed in
3.11.2
CVE-2026-34582 describes an authentication bypass vulnerability in Botan, a C++ cryptography library. This flaw allows attackers to circumvent client certificate authentication by sending application data records before the Finished message in TLS 1.3. The vulnerability affects versions 3.11.0 through 3.11.0 and is resolved in version 3.11.1.
An attacker exploiting this vulnerability can bypass client certificate authentication, effectively impersonating legitimate clients. This could lead to unauthorized access to resources protected by the Botan library, potentially enabling data breaches, privilege escalation, or other malicious activities. The impact is particularly severe in systems relying on client certificates for strong authentication, such as secure web servers or VPN gateways. Successful exploitation could allow an attacker to establish a connection without proper verification, potentially gaining access to sensitive data or functionality.
This vulnerability was publicly disclosed on 2026-04-07. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The likelihood of exploitation is currently considered low due to the lack of a public PoC.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
The primary mitigation is to upgrade to Botan version 3.11.1 or later, which contains the fix for this authentication bypass. If upgrading is not immediately feasible, consider implementing temporary workarounds such as strict TLS 1.3 configuration to enforce the proper sequence of messages. Review TLS 1.3 configurations to ensure the Finished message is received before processing ApplicationData records. Monitor network traffic for unusual patterns, such as application data records appearing before the Finished message, which could indicate an attempted exploitation.
Update the Botan library to version 3.11.1 or higher to mitigate the vulnerability. This update corrects the issue by ensuring the Finished message is received before processing application data records, thus preventing the possibility of a client certificate authentication bypass.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34582 is a vulnerability in Botan 3.11.0 allowing attackers to bypass client certificate authentication in TLS 1.3 by omitting key messages.
If you are using Botan version 3.11.0 or 3.11.0, you are potentially affected by this vulnerability. Upgrade to 3.11.1 or later to mitigate the risk.
The recommended fix is to upgrade to Botan version 3.11.1 or a later version. If upgrading is not possible, review and tighten TLS 1.3 configurations.
As of the current date, there are no confirmed reports of active exploitation of CVE-2026-34582, but it's crucial to apply the patch proactively.
Refer to the official Botan project website and security advisories for the latest information and updates regarding CVE-2026-34582.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.