Description
Botan is a C++ cryptography library. From version 3.0.0 to before version 3.11.0, during X509 path validation, OCSP responses were checked for an appropriate status code, but critically omitted verifying the signature of the OCSP response itself. This issue has been patched in version 3.11.0.
Published: 2026-03-30
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Certificate Revocation Bypass
Action: Apply Patch
AI Analysis

Impact

This vulnerability stems from Botan’s omission of signature verification on OCSP responses during X509 path validation. As a result, a malicious actor can supply a forged OCSP response that the library accepts, allowing a man‑in‑the‑middle attack to bypass certificate revocation checks. The consequence is that a client may trust a revoked or compromised certificate, potentially enabling disclosure, tampering, or impersonation over TLS connections.

Affected Systems

The flaw is present in randombit’s Botan library, affecting all releases from version 3.0.0 through the last release before 3.11.0. Versions 3.11.0 and later include a patch that reinstates proper signature verification.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. Exploitation requires that the attacker can supply a rogue OCSP response, usually by being in a position to influence the client’s certificate validation, such as a compromised or malicious relay. There is no EPSS metric available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it has not been widely leveraged yet. Nevertheless, any environment where certificate revocation is critical should treat this as a real risk.

Generated by OpenCVE AI on March 31, 2026 at 06:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Botan to version 3.11.0 or later

Generated by OpenCVE AI on March 31, 2026 at 06:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Randombit
Randombit botan
Vendors & Products Randombit
Randombit botan

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description Botan is a C++ cryptography library. From version 3.0.0 to before version 3.11.0, during X509 path validation, OCSP responses were checked for an appropriate status code, but critically omitted verifying the signature of the OCSP response itself. This issue has been patched in version 3.11.0.
Title Botan: Missing OCSP Response Signature Verification Allows MitM Certificate Revocation Bypass
Weaknesses CWE-347
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Randombit Botan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T20:36:30.579Z

Reserved: 2026-03-16T21:03:44.421Z

Link: CVE-2026-32883

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-30T21:17:09.933

Modified: 2026-03-30T21:17:09.933

Link: CVE-2026-32883

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:40:04Z

Weaknesses