Skip to main content

GNU wget2 CVE-2026-1858

| EUVDEUVD-2026-26285 MEDIUM
Improper Input Validation (CWE-20)
2026-04-29 tenable
4.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 29, 2026 - 20:58 vuln.today
EUVD ID Assigned
Apr 29, 2026 - 20:45 euvd
EUVD-2026-26285
Analysis Generated
Apr 29, 2026 - 20:45 vuln.today
CVE Published
Apr 29, 2026 - 20:15 nvd
MEDIUM 4.8

DescriptionCVE.org

wget2 accepts a server certificate with incorrect Key Usage (KU) or Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be able to reuse it for TLS server authentication.

AnalysisAI

GNU wget2 incorrectly validates TLS server certificates, accepting certificates with improper Key Usage (KU) or Extended Key Usage (EKU) attributes. This allows attackers who have compromised certificates issued for non-server purposes to impersonate legitimate servers in TLS connections, enabling man-in-the-middle attacks that leak sensitive information such as authentication credentials or request/response data.

Technical ContextAI

wget2 is a command-line HTTP/HTTPS client that relies on certificate validation to establish secure TLS connections. The vulnerability stems from inadequate validation of X.509 certificate extensions (CWE-20: Improper Input Validation). TLS server certificates must contain specific Key Usage bits (digitalSignature, keyEncipherment) and/or an Extended Key Usage extension containing id-kp-serverAuth to be valid for server authentication. When wget2 fails to enforce these constraints, it accepts certificates intended for other purposes (e.g., code signing, client authentication, email signing). An attacker who obtains such a certificate's private key - through theft, compromise of a lower-security certificate authority, or acquisition from a misconfiguured issuer - can present it to wget2 clients, which will incorrectly trust the connection. The vulnerability affects all versions of wget2 across platforms where the affected code path is enabled, as indicated by the CPE pattern cpe:2.3:a:gnu:wget2:*:*:*:*:*:*:*:* with no version constraint.

RemediationAI

Apply the vendor-released patch for wget2 certificate validation as soon as it becomes available through the GNU wget2 project. Until a patched version is available, implement network-level mitigations: deploy certificate pinning or HPKB (HTTP Public Key Binding) policies in environments controlling wget2 deployments to restrict accepted certificates to a whitelist of known legitimate issuers and public key hashes. For automated downloads or CI/CD pipelines using wget2, enforce DNSSEC validation and certificate transparency (CT) log verification on the client side where possible, or use a proxy with advanced certificate inspection (e.g., Squid, mitmproxy in non-MITM mode for monitoring). Operationally, restrict wget2 usage to non-sensitive data retrieval where feasible, and prefer curl or newer HTTP clients with stronger default certificate validation. Monitor certificate issuance logs from your organization's trusted CAs for unexpected certificate generation outside normal business processes. No formal patch version has been publicly identified at the time of analysis; check the GNU wget2 project website and security advisories for availability of fixed builds.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed

Share

CVE-2026-1858 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy