CVE-2026-32883 - Vulnerability Details

- Botan: Missing OCSP Response Signature Verification Allows MitM Certificate Revocation Bypass

Description

Botan is a C++ cryptography library. From version 3.0.0 to before version 3.11.0, during X509 path validation, OCSP responses were checked for an appropriate status code, but critically omitted verifying the signature of the OCSP response itself. This issue has been patched in version 3.11.0.

Published: 2026-03-30

Score: 5.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in the Botan cryptography library arises from missing verification of the OCSP response signature during X509 path validation in versions 3.0.0 through 3.10.x. Because the library does not check that the OCSP response is properly signed, an attacker can supply a forged response that indicates a certificate is valid even when it has been revoked. This flaw allows a man‑in‑the‑middle attacker to bypass certificate revocation checks, potentially compromising the confidentiality and integrity of secure communications.

Affected Systems

This issue affects the Cryptography Library Botan developed by randombit. Versions starting from 3.0.0 up to, but not including, 3.11.0 are vulnerable. The patch that fixes the problem was released in Botan 3.11.0.

Risk and Exploitability

The CVSS score is 5.9, indicating moderate severity. The EPSS score is below 1%, suggesting a low likelihood of exploitation. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. An attacker would need to deliver a crafted OCSP response to a software component that trusts the botan library. Usually this would occur over a network path where the application performs certificate validation, so the attack vector is inferred to be remote network‑based. Exploitation requires that the application accept the forged response as valid, which it will if the library is in the affected version range.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

randombit

botan

affected

Version	Status	Constraints
`>= 3.0.0, < 3.11.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:botan_project:botan:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Randombit

Botan

100%

Version	Status	Scheme	Platform
`[3.0.0,3.11.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Botan 3.11.0 or later
If upgrade is not feasible, configure applications to ignore OCSP revocation checks or restrict network access to OCSP endpoints
Verify no older Botan versions are in the application stack
Check the vendor’s website for additional security advisories and verify the library’s integrity

Generated by OpenCVE AI on April 13, 2026 at 16:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/randombit/botan/security/advisories/GHSA-9j2j-hqmc-hf5x
https://nvd.nist.gov/vuln/detail/CVE-2026-32883
https://www.cve.org/CVERecord?id=CVE-2026-32883

History

Mon, 13 Apr 2026 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Botan Project Botan Project botan
CPEs		cpe:2.3:a:botan_project:botan::::::::
Vendors & Products		Botan Project Botan Project botan

Thu, 02 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-32883 https://www.cve.org/CVERecord?id=CVE-2026-32883
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 01 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Randombit Randombit botan
Vendors & Products		Randombit Randombit botan

Tue, 31 Mar 2026 03:00:00 +0000

Type	Values Removed	Values Added
Description		Botan is a C++ cryptography library. From version 3.0.0 to before version 3.11.0, during X509 path validation, OCSP responses were checked for an appropriate status code, but critically omitted verifying the signature of the OCSP response itself. This issue has been patched in version 3.11.0.
Title		Botan: Missing OCSP Response Signature Verification Allows MitM Certificate Revocation Bypass
Weaknesses		CWE-347
References		https://github.com/randombit/botan/security/advisories/GHSA-9j2j-hqmc-hf5x
Metrics		cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

Botan Project Botan

Randombit Botan

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-30T20:36:30.579Z

Updated: 2026-04-02T14:10:02.578Z

Reserved: 2026-03-16T21:03:44.421Z

Link: CVE-2026-32883

Vulnrichment

Updated: 2026-04-02T14:09:56.688Z

NVD

Status : Analyzed

Published: 2026-03-30T21:17:09.933

Modified: 2026-04-13T13:54:57.530

Link: CVE-2026-32883

Redhat

Severity : Moderate

Publid Date: 2026-03-30T20:36:30Z

Links: CVE-2026-32883 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-14T16:42:31Z

Weaknesses

CWE-347

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object