Description
wget2 accepts a server certificate with incorrect Key Usage (KU) or Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be able to reuse it for TLS server authentication.
Published: 2026-04-29
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

wget2 accepts a server certificate that has an incorrect Key Usage or Extended Key Usage. If an attacker obtains a certificate and private key that were issued for a different purpose, they can reuse that certificate to present themselves as an SSL/TLS server. This undermines the integrity of the TLS trust chain and could enable man‑in‑the‑middle attacks or allow an attacker to impersonate a legitimate service. The weakness is an input validation flaw (CWE‑20).

Affected Systems

The vulnerability affects GNU wget2. No specific version information was provided in the advisory, so all releases prior to a fixed version are potentially affected. Refer to the GNU wget2 project for an official update timeline.

Risk and Exploitability

The CVSS base score is 4.8, indicating moderate severity. The EPSS score is not available, so the current exploitation probability is unknown. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is remote: any client using wget2 to connect to an HTTPS endpoint could be tricked into accepting a malicious certificate. An attacker controlling a certificate issued for another purpose must compromise its private key, but once that key is in hand, they can present the certificate during the TLS handshake with wget2, bypassing usual Key Usage or EKU checks.

Generated by OpenCVE AI on April 30, 2026 at 03:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest version of GNU wget2 that includes the certificate validation fix.
  • Configure wget2 or your TLS library to enforce strict validation of Key Usage and Extended Key Usage for server certificates.
  • Monitor SSL/TLS connections for certificate validation errors and audit logs for unexpected certificate usage.

Generated by OpenCVE AI on April 30, 2026 at 03:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Gnu
Gnu wget2
Vendors & Products Gnu
Gnu wget2

Wed, 29 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description wget2 accepts a server certificate with incorrect Key Usage (KU) or Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be able to reuse it for TLS server authentication.
Title wget2 Improper Certificate Validation
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Gnu Wget2
cve-icon MITRE

Status: PUBLISHED

Assigner: tenable

Published:

Updated: 2026-04-30T15:22:05.205Z

Reserved: 2026-02-03T20:13:53.718Z

Link: CVE-2026-1858

cve-icon Vulnrichment

Updated: 2026-04-30T13:17:35.751Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-29T21:16:20.513

Modified: 2026-04-30T15:13:14.230

Link: CVE-2026-1858

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T03:45:06Z

Weaknesses