Which versions of Wolfssl are affected by CVE-2026-5263?

CVE-2026-5263 affects wolfSSL's certificate chain validation, allowing compromised intermediate certificate authorities to bypass URI nameConstraints restrictions and issue fraudulent leaf…. A patch is available.

How to fix or mitigate CVE-2026-5263?

Within 24 hours: Identify all systems running wolfSSL and document current versions in use. Within 7 days: Apply the vendor-released patch to all affected wolfSSL installations and test in non-production environments first. Within 30 days: Perform a full TLS certificate chain audit across the organization to verify no unauthorized certificates were issued, and implement enhanced monitoring of certificate issuance events from all trusted CAs.

Wolfssl CVE-2026-5263

Q: What is the CVSS score of CVE-2026-5263?

CVE-2026-5263 has a CVSS 4.0 base score of 7.0 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-21178 HIGH

Improper Certificate Validation (CWE-295)

2026-04-09 wolfSSL

Information Disclosure Wolfssl

7.0

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

7.0 HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 29, 2026 - 17:22 vuln.today

cvss_changed

Analysis Updated

Apr 16, 2026 - 06:00 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

5.9.1

EUVD ID Assigned

Apr 09, 2026 - 21:45 euvd

EUVD-2026-21178

Analysis Generated

Apr 09, 2026 - 21:45 vuln.today

CVE Published

Apr 09, 2026 - 21:15 nvd

HIGH 7.0

DescriptionCVE.org

URI nameConstraints from constrained intermediate CAs are parsed but not enforced during certificate chain verification in wolfcrypt/src/asn.c. A compromised or malicious sub-CA could issue leaf certificates with URI SAN entries that violate the nameConstraints of the issuing CA, and wolfSSL would accept them as valid.

AnalysisAI

Certificate chain verification bypass in wolfSSL allows malicious intermediate CAs to violate URI nameConstraints. A compromised sub-CA with high-privilege access can issue leaf certificates containing URI Subject Alternative Name entries that breach parent CA nameConstraints restrictions. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Compromise intermediate CA or obtain malicious sub-CA

Delivery

Issue leaf certificate with unconstrained URI SAN

Exploit

Submit certificate chain to wolfSSL verifier

Execution

Bypass nameConstraints validation in asn.c

Impact

Accept invalid certificate as trusted