CVE 8.6 HIGH

Improper Certificate Signature Verification in X.509 Chain Validation Allows Forged Leaf Certificates_CVE-2026-5501

April 12, 2026 invoker category_cve
8.6 / 10
HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Description

wolfSSL_X509_verify_cert in the OpenSSL compatibility layer accepts a certificate chain in which the leaf's signature is not checked, if the attacker supplies an untrusted intermediate with Basic Constraints `CA:FALSE` that is legitimately signed by a trusted root. An attacker who obtains any leaf certificate from a trusted CA (e.g. a free DV cert from Let's Encrypt) can forge a certificate for any subject name with any public key and arbitrary signature bytes, and the function returns `WOLFSSL_SUCCESS` / `X509_V_OK`. The native wolfSSL TLS handshake path (`ProcessPeerCerts`) is not susceptible and the issue is limited to applications using the OpenSSL compatibility API directly, which would include integrations of wolfSSL into nginx and haproxy.

AI Analysis

Improper Certificate Signature Verification in X.509 Chain Validation Allows Forged Leaf Certificates

Basic Information

ID CVE-2026-5501
Source wolfSSL
Published Apr 10, 2026 at 03:07
Modified Apr 10, 2026 at 13:43

Affected Product

Vendor wolfSSL
Product wolfSSL
Affected Versions wolfSSL wolfSSL 0

CWE Classification

CWE-295

AI Assessment

AI Score 8.6 / 10
AI Severity High
Vendor wolfSSL
Product wolfSSL

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.