Skip to main content

Red Hat EUVD-2026-19948

| CVE-2026-34582 HIGH
Improper Enforcement of Behavioral Workflow (CWE-841)
2026-04-07 GitHub_M
Authentication Bypass Red Hat Suse
8.7
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Re-analysis Queued
Apr 17, 2026 - 20:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:02 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
3.11.1
EUVD ID Assigned
Apr 07, 2026 - 21:31 euvd
EUVD-2026-19948
Analysis Generated
Apr 07, 2026 - 21:31 vuln.today
CVE Published
Apr 07, 2026 - 21:13 nvd
HIGH 8.7

DescriptionNVD

Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed prior to the Finished message being received. A server which is attempting to enforce client authentication via certificates can by bypassed by a client which entirely omits Certificate, CertificateVerify, and the Finished message and instead sends application data records. This vulnerability is fixed in 3.11.1.

AnalysisAI

TLS 1.3 client authentication bypass in Botan cryptography library versions prior to 3.11.1 allows unauthenticated remote attackers to skip certificate validation by sending ApplicationData records before the Finished handshake message. Exploiting this vulnerability requires no authentication (PR:N), low attack complexity (AC:L), and no user interaction (UI:N), resulting in complete integrity compromise (VI:H) for TLS 1.3 servers relying on mutual authentication. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: inventory all systems using Botan cryptography library and identify those with TLS 1.3 mutual authentication enabled. Within 7 days: deploy Botan 3.11.1 or later to all affected systems and restart services. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-9277 HIGH
8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
CVE-2026-9256 HIGH
8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

Share

EUVD-2026-19948 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy