Skip to main content

Apache Directory LDAP API CVE-2026-35563

| EUVDEUVD-2026-33569 HIGH
Improper Validation of Certificate with Host Mismatch (CWE-297)
8.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 01, 2026 - 08:22 vuln.today
CVSS changed
Jun 01, 2026 - 08:22 NVD
8.8 (HIGH)
CVE Published
Jun 01, 2026 - 04:45 nvd
HIGH 8.8
CVE Published
Jun 01, 2026 - 04:45 nvd
UNKNOWN (no severity yet)

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 80 maven packages depend on org.apache.directory.api:api-ldap-client-api (15 direct, 65 indirect)

Ecosystem-wide dependent count for version 2.0.0.

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Improper certificate hostname validation in the Apache Directory LDAP API client allows network-positioned attackers to impersonate LDAP servers and intercept authenticated directory traffic. The flaw was disclosed via the oss-security mailing list on 2026-06-01 and is tracked under CWE-297; no public exploit identified at time of analysis. With a CVSS 4.0 score of 8.8 and high confidentiality/integrity impact, the issue is significant for applications that rely on this library to connect to LDAP/LDAPS endpoints.

Technical ContextAI

The Apache Directory LDAP API is a Java client library widely embedded in applications that need to talk to LDAP/LDAPS directory servers (such as ApacheDS, OpenLDAP, or Active Directory). CWE-297 (Improper Validation of Certificate with Host Mismatch) indicates that the TLS handshake completes successfully against any certificate the client trusts, without confirming that the certificate's Common Name or Subject Alternative Name matches the hostname the client was instructed to connect to. The CWE class makes this a classic TLS trust-boundary defect: encryption is present, but the cryptographic identity of the peer is not bound to the intended target, breaking the security guarantee TLS is supposed to provide. The 'Buffer Overflow' tag appears inconsistent with CWE-297 and likely reflects automated tagging rather than the actual root cause.

RemediationAI

Patch available per vendor advisory - consult the Apache mailing list thread at https://lists.apache.org/thread/5rc2nzqxp1m9wknyf93r8dnp46fhc1nn and the oss-security post at https://www.openwall.com/lists/oss-security/2026/06/01 for the fixed release coordinates, then upgrade the Apache Directory LDAP API dependency in all consuming applications. Until the upgrade is deployed, compensating controls include constraining LDAP client traffic to trusted network segments (so a MITM position is harder to achieve), pinning the LDAP server certificate or its issuing CA inside the application's trust store rather than relying on the system default truststore, and where the application code allows, wrapping LDAP connection setup with an explicit hostname verifier (for example, validating the server certificate's SAN against the configured hostname before issuing bind requests); the trade-off is that pinning and custom verifiers require operational discipline when certificates rotate and may break legitimate failover topologies.

Share

CVE-2026-35563 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy