CVE-2026-34582CRITICAL 9.1EPSS p9.6%

CVE-2026-34582CVE-2026-34582

Description

Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed prior to the Finished message being received. A server which is attempting to enforce client authentication via certificates can by bypassed by a client which entirely omits Certificate, CertificateVerify, and the Finished message and instead sends application data records. This vulnerability is fixed in 3.11.1.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.20% probability of exploitation · percentile 9.6% · 2026-06-19T12:03:05Z
Published2026-04-07
Last modified2026-04-17

Underlying weaknesses· 1

CWE-841

References

  1. https://github.com/randombit/botan/security/advisories/GHSA-pxcj-9ppx-g86g

1

TypeTargetConfidenceTier
WeaknessImproper Enforcement of Behavioral Workflowcwe-8410%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-44378
CVE
CVE-2026-32877
CVE
CVE-2024-45159
CVE
CVE-2026-5264
CVE
CVE-2025-27810
CVE
CVE-2026-45185
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.