Skip to main content

CWE-295

Improper Certificate Validation

1086 CVEs Avg CVSS 6.8 MITRE
101
CRITICAL
439
HIGH
496
MEDIUM
47
LOW
145
POC
4
KEV

Monthly

CVE-2026-52724 MEDIUM PATCH GHSA This Month

TLS certificate verification bypass in Kuma's kuma-dp data plane allows an on-path attacker to intercept the dataplane authentication token and inject a forged bootstrap configuration, effectively taking over the proxy. Affected deployments are Universal mode installations where operators start kuma-dp against an HTTPS control plane without supplying a CA certificate via --ca-cert-file or the KUMA_CONTROL_PLANE_CA_CERT environment variable. Standard Kubernetes installations using kumactl or the official Helm chart are not affected because the mutating admission webhook automatically injects the CA certificate. No public exploit or CISA KEV listing is present at time of analysis; patch releases are available across all supported branches.

Code Injection Kubernetes
NVD GitHub
CVE-2026-50166 MEDIUM PATCH GHSA This Month

TLS certificate verification bypass in Kuma's kumactl CLI tool allows network-adjacent attackers to intercept API tokens via man-in-the-middle attack. When an operator adds an HTTPS control plane profile without supplying --ca-cert-file, kumactl silently disables TLS verification (InsecureSkipVerify=true) and transmits API tokens over the unverified connection. A successful intercept grants the attacker the ability to impersonate the operator and issue privileged commands to the control plane. No public exploit identified at time of analysis; vendor-released patches are available.

Information Disclosure
NVD GitHub
CVE-2026-38974 MEDIUM This Month

Missing SSH host key verification in Dulwich's paramiko vendor module exposes SSH connections to man-in-the-middle interception. The contrib/paramiko_vendor.py module used paramiko's MissingHostKeyPolicy, which silently accepts any server host key without checking it against known_hosts, allowing a network-positioned attacker to impersonate a legitimate SSH Git server. No public exploit has been identified at time of analysis and EPSS sits at 0.14% (4th percentile), but the attack is conceptually straightforward for any attacker with network access between client and server.

Information Disclosure N A
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-50302 MEDIUM PATCH This Month

Improper certificate validation in Windows Cryptographic Services allows an unauthorized attacker to bypass a security feature over a network.

Authentication Bypass Microsoft Windows 10 Version 21H2 Windows 10 Version 22H2 Windows 11 Version 24H2 +5
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-47632 HIGH PATCH Exploit Unlikely This Week

Privilege escalation in Microsoft's Azure Monitor Agent (specifically the Metrics Extension) lets an unauthenticated attacker on an adjacent network gain elevated privileges by exploiting improper TLS certificate validation (CWE-295). Because the agent fails to properly verify the certificate of the endpoint it communicates with, an attacker positioned on the same broadcast/logical network segment can impersonate a trusted server and hijack the agent's privileged context, yielding high confidentiality, integrity, and availability impact. Microsoft rates it CVSS 8.8; there is currently no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Microsoft Azure Monitor Agent Metrics Extension
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-55001 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Windows Active Directory certificate-validation path lets an already-authenticated attacker on Windows 10 (1607/1809) and Windows Server 2016 through 2025 (including Server Core) improperly validate a certificate to gain higher privileges. Microsoft reported and patched the flaw (CWE-295), but there is no public exploit identified at time of analysis and it is not on CISA KEV. The CVSS 7.8 vector (AV:L/PR:L) confirms an authenticated local attacker with full confidentiality, integrity, and availability impact upon success.

Microsoft Information Disclosure Windows 10 Version 1607 Windows 10 Version 1809 Windows Server 2016 +6
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-59836 CRITICAL Act Now

Improper TLS certificate validation in Fortinet FortiClientEMS (Endpoint Management Server) exposes sensitive information to network-positioned attackers across FortiClientEMS 7.2 (all listed builds up to 7.2.14), 7.4.0–7.4.1, and 7.4.3–7.4.5. Because the client fails to properly verify server certificates (CWE-295), an attacker able to intercept EMS communications can decrypt or observe protected traffic to disclose information. There is no public exploit identified at time of analysis and CISA SSVC scores exploitation as 'none', but Fortinet rates the flaw CVSS 9.8, so patching should be prioritized despite the lack of observed exploitation.

Fortinet Information Disclosure Forticlientems
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-15683 HIGH This Week

Remote code execution affects the Lorex 2K Indoor Wi-Fi Security Camera through improper TLS certificate validation in its device management server, allowing a network-adjacent attacker to impersonate the management server and, when chained with additional flaws, run code as root without any user interaction. The issue was reported through Trend Micro's Zero Day Initiative (ZDI-26-399, formerly ZDI-CAN-26851). There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

RCE 2K Indoor Wi Fi Security Camera
NVD
CVSS 3.0
7.5
EPSS
0.1%
CVE-2026-61668 PyPI HIGH PATCH GHSA This Week

Man-in-the-middle code injection in DIRAC's grid pilot bootstrap affects the DIRACGrid Python distributed-computing framework, where the PilotWrapper explicitly disables TLS certificate validation when fetching the second-stage pilot.tar. Because both the payload and its reference checksum traverse the same unverified HTTPS channel, an attacker positioned on the grid site's network can substitute arbitrary code that runs in the pilot context with access to its proxy/credentials. No public exploit identified at time of analysis; exploitation requires an active network intercept, which the vendor notes is non-trivial, but the CVSS is 8.1 due to full CIA impact.

RCE Python
NVD GitHub
CVSS 3.1
8.1
CVE-2026-22093 CRITICAL PATCH Act Now

Man-in-the-middle interception and traffic manipulation in the EVbee Service Android app (v1.4.101.00) is possible because the app negotiates HTTPS but never validates the server's TLS certificate, and further protects payloads only with RC4 under a hardcoded key. An attacker positioned on the network path can decrypt and alter app-to-server traffic and harvest charging-station access codes. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is trivially reproducible with standard interception tooling.

Information Disclosure Google Evbee Service
NVD
CVSS 4.0
9.5
EPSS
0.2%
MEDIUM PATCH This Month

TLS certificate verification bypass in Kuma's kuma-dp data plane allows an on-path attacker to intercept the dataplane authentication token and inject a forged bootstrap configuration, effectively taking over the proxy. Affected deployments are Universal mode installations where operators start kuma-dp against an HTTPS control plane without supplying a CA certificate via --ca-cert-file or the KUMA_CONTROL_PLANE_CA_CERT environment variable. Standard Kubernetes installations using kumactl or the official Helm chart are not affected because the mutating admission webhook automatically injects the CA certificate. No public exploit or CISA KEV listing is present at time of analysis; patch releases are available across all supported branches.

Code Injection Kubernetes
NVD GitHub
MEDIUM PATCH This Month

TLS certificate verification bypass in Kuma's kumactl CLI tool allows network-adjacent attackers to intercept API tokens via man-in-the-middle attack. When an operator adds an HTTPS control plane profile without supplying --ca-cert-file, kumactl silently disables TLS verification (InsecureSkipVerify=true) and transmits API tokens over the unverified connection. A successful intercept grants the attacker the ability to impersonate the operator and issue privileged commands to the control plane. No public exploit identified at time of analysis; vendor-released patches are available.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing SSH host key verification in Dulwich's paramiko vendor module exposes SSH connections to man-in-the-middle interception. The contrib/paramiko_vendor.py module used paramiko's MissingHostKeyPolicy, which silently accepts any server host key without checking it against known_hosts, allowing a network-positioned attacker to impersonate a legitimate SSH Git server. No public exploit has been identified at time of analysis and EPSS sits at 0.14% (4th percentile), but the attack is conceptually straightforward for any attacker with network access between client and server.

Information Disclosure N A
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Improper certificate validation in Windows Cryptographic Services allows an unauthorized attacker to bypass a security feature over a network.

Authentication Bypass Microsoft Windows 10 Version 21H2 +7
NVD
EPSS 0% CVSS 8.8
HIGH PATCH Exploit Unlikely This Week

Privilege escalation in Microsoft's Azure Monitor Agent (specifically the Metrics Extension) lets an unauthenticated attacker on an adjacent network gain elevated privileges by exploiting improper TLS certificate validation (CWE-295). Because the agent fails to properly verify the certificate of the endpoint it communicates with, an attacker positioned on the same broadcast/logical network segment can impersonate a trusted server and hijack the agent's privileged context, yielding high confidentiality, integrity, and availability impact. Microsoft rates it CVSS 8.8; there is currently no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Microsoft Azure Monitor Agent Metrics Extension
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Windows Active Directory certificate-validation path lets an already-authenticated attacker on Windows 10 (1607/1809) and Windows Server 2016 through 2025 (including Server Core) improperly validate a certificate to gain higher privileges. Microsoft reported and patched the flaw (CWE-295), but there is no public exploit identified at time of analysis and it is not on CISA KEV. The CVSS 7.8 vector (AV:L/PR:L) confirms an authenticated local attacker with full confidentiality, integrity, and availability impact upon success.

Microsoft Information Disclosure Windows 10 Version 1607 +8
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Improper TLS certificate validation in Fortinet FortiClientEMS (Endpoint Management Server) exposes sensitive information to network-positioned attackers across FortiClientEMS 7.2 (all listed builds up to 7.2.14), 7.4.0–7.4.1, and 7.4.3–7.4.5. Because the client fails to properly verify server certificates (CWE-295), an attacker able to intercept EMS communications can decrypt or observe protected traffic to disclose information. There is no public exploit identified at time of analysis and CISA SSVC scores exploitation as 'none', but Fortinet rates the flaw CVSS 9.8, so patching should be prioritized despite the lack of observed exploitation.

Fortinet Information Disclosure Forticlientems
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Remote code execution affects the Lorex 2K Indoor Wi-Fi Security Camera through improper TLS certificate validation in its device management server, allowing a network-adjacent attacker to impersonate the management server and, when chained with additional flaws, run code as root without any user interaction. The issue was reported through Trend Micro's Zero Day Initiative (ZDI-26-399, formerly ZDI-CAN-26851). There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

RCE 2K Indoor Wi Fi Security Camera
NVD
CVSS 8.1
HIGH PATCH This Week

Man-in-the-middle code injection in DIRAC's grid pilot bootstrap affects the DIRACGrid Python distributed-computing framework, where the PilotWrapper explicitly disables TLS certificate validation when fetching the second-stage pilot.tar. Because both the payload and its reference checksum traverse the same unverified HTTPS channel, an attacker positioned on the grid site's network can substitute arbitrary code that runs in the pilot context with access to its proxy/credentials. No public exploit identified at time of analysis; exploitation requires an active network intercept, which the vendor notes is non-trivial, but the CVSS is 8.1 due to full CIA impact.

RCE Python
NVD GitHub
EPSS 0% CVSS 9.5
CRITICAL PATCH Act Now

Man-in-the-middle interception and traffic manipulation in the EVbee Service Android app (v1.4.101.00) is possible because the app negotiates HTTPS but never validates the server's TLS certificate, and further protects payloads only with RC4 under a hardcoded key. An attacker positioned on the network path can decrypt and alter app-to-server traffic and harvest charging-station access codes. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is trivially reproducible with standard interception tooling.

Information Disclosure Google Evbee Service
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy