GHSA-85rw-g4f4-jprr
Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Blast Radius
ecosystem impact- 80 maven packages depend on org.apache.directory.api:api-ldap-client-api (15 direct, 65 indirect)
Ecosystem-wide dependent count for version 2.0.0.
Description PRE-NVD
AnalysisAI
Improper certificate hostname validation in the Apache Directory LDAP API client allows network-positioned attackers to impersonate LDAP servers and intercept authenticated directory traffic. The flaw was disclosed via the oss-security mailing list on 2026-06-01 and is tracked under CWE-297; no public exploit identified at time of analysis. With a CVSS 4.0 score of 8.8 and high confidentiality/integrity impact, the issue is significant for applications that rely on this library to connect to LDAP/LDAPS endpoints.
Technical ContextAI
The Apache Directory LDAP API is a Java client library widely embedded in applications that need to talk to LDAP/LDAPS directory servers (such as ApacheDS, OpenLDAP, or Active Directory). CWE-297 (Improper Validation of Certificate with Host Mismatch) indicates that the TLS handshake completes successfully against any certificate the client trusts, without confirming that the certificate's Common Name or Subject Alternative Name matches the hostname the client was instructed to connect to. The CWE class makes this a classic TLS trust-boundary defect: encryption is present, but the cryptographic identity of the peer is not bound to the intended target, breaking the security guarantee TLS is supposed to provide. The 'Buffer Overflow' tag appears inconsistent with CWE-297 and likely reflects automated tagging rather than the actual root cause.
RemediationAI
Patch available per vendor advisory - consult the Apache mailing list thread at https://lists.apache.org/thread/5rc2nzqxp1m9wknyf93r8dnp46fhc1nn and the oss-security post at https://www.openwall.com/lists/oss-security/2026/06/01 for the fixed release coordinates, then upgrade the Apache Directory LDAP API dependency in all consuming applications. Until the upgrade is deployed, compensating controls include constraining LDAP client traffic to trusted network segments (so a MITM position is harder to achieve), pinning the LDAP server certificate or its issuing CA inside the application's trust store rather than relying on the system default truststore, and where the application code allows, wrapping LDAP connection setup with an explicit hostname verifier (for example, validating the server certificate's SAN against the configured hostname before issuing bind requests); the trade-off is that pinning and custom verifiers require operational discipline when certificates rotate and may break legitimate failover topologies.
Same technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33569