Description
Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed prior to the Finished message being received. A server which is attempting to enforce client authentication via certificates can by bypassed by a client which entirely omits Certificate, CertificateVerify, and the Finished message and instead sends application data records. This vulnerability is fixed in 3.11.1.
Published: 2026-04-07
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Server certificate authentication bypass leading to unauthorized client access
Action: Immediate Patch
AI Analysis

Impact

A client can send ApplicationData records before the Finished message, bypassing TLS 1.3 certificate authentication. The flaw originates from the library not validating the order of handshake messages. An attacker can therefore access services that require client certificates without presenting a valid cert, compromising confidentiality and integrity.

Affected Systems

The randomBit Botan cryptographic library versions earlier than 3.11.1 are affected. Systems that use Botan for TLS 1.3 and enforce mutual authentication are vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates significant risk. EPSS data is not available. The attack can be performed by an arbitrary client that sends premature application data, so no special conditions are required. This bypass permits unauthorized access, so the risk is high.

Generated by OpenCVE AI on April 8, 2026 at 13:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Botan to version 3.11.1 or later
  • Verify that the TLS 1.3 handshake enforces certificate authentication after the Finished message
  • If upgrading is delayed, temporarily disable client certificate authentication or implement additional server‑side validation of client certificates

Generated by OpenCVE AI on April 8, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Botan Project
Botan Project botan
CPEs cpe:2.3:a:botan_project:botan:*:*:*:*:*:*:*:*
Vendors & Products Botan Project
Botan Project botan

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Randombit
Randombit botan
Vendors & Products Randombit
Randombit botan

Wed, 08 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-166
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

threat_severity

Important

Tue, 07 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed prior to the Finished message being received. A server which is attempting to enforce client authentication via certificates can by bypassed by a client which entirely omits Certificate, CertificateVerify, and the Finished message and instead sends application data records. This vulnerability is fixed in 3.11.1.
Title Botan has a TLS 1.3 certificate authentication bypass
Weaknesses CWE-841
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Botan Project Botan
Randombit Botan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T15:41:21.671Z

Reserved: 2026-03-30T16:56:30.999Z

Link: CVE-2026-34582

cve-icon Vulnrichment

Updated: 2026-04-08T15:41:17.903Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T22:16:22.810

Modified: 2026-04-17T20:31:27.753

Link: CVE-2026-34582

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-07T21:13:49Z

Links: CVE-2026-34582 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:45:35Z

Weaknesses