cryptography
Opgelost in
46.0.7
46.0.6
CVE-2026-34073 is a medium-severity vulnerability affecting the cryptography Python library versions up to 46.0.5. This flaw allows a peer to bypass DNS name constraints during certificate validation, potentially enabling man-in-the-middle attacks. The vulnerability stems from an incomplete validation of DNS names against Name Constraints in certificates. A fix is available in version 46.0.6.
This vulnerability allows an attacker to validate a certificate against a wildcard certificate even when a Name Constraint explicitly excludes the target domain. For example, an attacker could use a certificate for *.example.com to validate a connection to bar.example.com even if bar.example.com is excluded in the certificate's Name Constraint. This can lead to man-in-the-middle attacks, where an attacker intercepts and potentially modifies communications between a client and a server. The impact is particularly severe in environments where certificate validation is critical for security, such as financial transactions or secure communication channels. The lack of proper validation opens the door to unauthorized access and data compromise.
CVE-2026-34073 was publicly disclosed on 2026-03-27. No public proof-of-concept (PoC) code has been released as of this writing. The EPSS score is currently pending evaluation. This vulnerability is not currently listed on the CISA KEV catalog.
Applications and systems relying on the cryptography library for secure communication, particularly those using wildcard certificates or relying on Name Constraints for enhanced security, are at risk. This includes web applications, APIs, and any system performing TLS/SSL connections where certificate validation is a critical security control.
• python / library:
import cryptography
print(cryptography.__version__)• python / library: Check for versions <= 46.0.5 using pip:
pip show cryptography• generic web: Inspect TLS handshake logs for unusual certificate validation patterns or connections to unexpected domains.
disclosure
Exploit Status
EPSS
0.03% (9% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to upgrade to cryptography version 46.0.6 or later. If upgrading is not immediately feasible, consider implementing stricter DNS validation policies at the network level to prevent connections to untrusted domains. While not a direct fix, using a Web Application Firewall (WAF) that can inspect TLS connections and enforce certificate validation policies can provide an additional layer of defense. Thoroughly review certificate validation configurations and ensure that Name Constraints are correctly defined and enforced to minimize the attack surface. After upgrade, confirm validation by attempting a connection to a domain with a Name Constraint and verifying that the connection fails as expected.
Werk de cryptography bibliotheek bij naar versie 46.0.6 of hoger. Dit corrigeert de incomplete validatie van DNS-naamrestricties in peer namen.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-34073 is a vulnerability in the cryptography Python library that allows a peer to bypass DNS name constraints during certificate validation, potentially enabling man-in-the-middle attacks.
You are affected if you are using cryptography versions 46.0.5 or earlier. Upgrade to version 46.0.6 or later to mitigate the risk.
Upgrade to cryptography version 46.0.6 or later. If upgrading is not possible, consider implementing stricter DNS validation policies.
As of now, there is no confirmed active exploitation of CVE-2026-34073, but the vulnerability is publicly known.
Refer to the cryptography project's security advisories on their official website or GitHub repository for the latest information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.