The flaw permits a TLS session initially negotiated with a specific server name indication (SNI) or application layer protocol (ALPN) to be later resumed under a different SNI/ALPN without the binding check that was previously applied only to ticket‑based resumption. As a result, a cached session can carry over the peer‑authentication state it originally acquired, allowing it to be used in a virtual host that expects a different client‑authentication policy. This leads to an authentication bypass, falling under CWE‑287, and can grant an attacker unauthorized access to resources on the target host.

Any installation of the wolfSSL library that lacks the patch implementing the SNI/ALPN binding verification for all resumption paths is vulnerable. Operators should verify whether their deployed wolfSSL version contains the check introduced in pull request 10489; if not, the default configuration permits session‑ID based resumption that can be abused across virtual hosts on the same server.

The CVSS score of 6 indicates a medium severity, and the absence of EPSS data or a KEV listing suggests that large‑scale exploitation is not yet prevalent. Nonetheless, an adversary could exploit the flaw by reusing a captured session‑ID to resume a session on a different virtual host that has a distinct client‑authentication requirement, potentially bypassing authentication controls. The attack requires that the target server performs session‑ID based resumption and that the attacker has access to a valid session identifier but does not need to compromise the cryptographic keys.