CVE-2026-34582 — Improper Enforcement of Behavioral Workflow in Botan
Severity
8.7HIGHNVD
EPSS
0.0%
top 91.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 7
Latest updateApr 8
Description
Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed prior to the Finished message being received. A server which is attempting to enforce client authentication via certificates can by bypassed by a client which entirely omits Certificate, CertificateVerify, and the Finished message and instead sends application data records. This vulnerability is fixed in 3.11.1.
CVSS vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Affected Packages3 packages
🔴Vulnerability Details
1📋Vendor Advisories
2🕵️Threat Intelligence
2💬Community
7Bugzilla▶
CVE-2026-34582 botan2: Botan: Client authentication bypass in TLS 1.3 implementation [fedora-42]↗2026-04-08
Bugzilla▶
CVE-2026-34582 botan: Botan: Client authentication bypass in TLS 1.3 implementation [fedora-43]↗2026-04-08
Bugzilla▶
CVE-2026-34582 botan2: Botan: Client authentication bypass in TLS 1.3 implementation [epel-all]↗2026-04-08
Bugzilla▶
CVE-2026-34582 botan3: Botan: Client authentication bypass in TLS 1.3 implementation [epel-all]↗2026-04-08
Bugzilla▶
CVE-2026-34582 botan2: Botan: Client authentication bypass in TLS 1.3 implementation [fedora-43]↗2026-04-08