Description
It was identified that the LDAP client implementation in version 2.1.7 does not verify if the server certificate matches the intended LDAP
hostname. While the underlying code validates the certificate chain
against a trusted authority, the absence of endpoint identification
allows a valid certificate issued for an entirely unrelated host to be
improperly accepted. This oversight leaves the connection highly
vulnerable to server impersonation and complete connection compromise.


The
root cause of this vulnerability lies in the incomplete TLS server
identity verification within the LDAP client implementation.




The attacker requires MITM capability on the network to exploit this vulnerability. This attacker must be able to present a certificate trusted by the client's configured trust store.




The hostname verification has been enforced in the new version of the LDAP API
Published: 2026-06-01
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Apache Directory LDAP API version 2.1.7 fails to verify that the LDAP server’s TLS certificate matches the intended hostname. As a result, an attacker who can perform a man‑in‑the‑middle (MITM) attack and present any certificate that is trusted by the client's trust store can impersonate the LDAP server, leading to full compromise of confidentiality, integrity, and authentication. This flaw is categorized as CWE‑297, an insecure implementation of TLS hostname verification.

Affected Systems

The vulnerability affects the Apache Directory LDAP API produced by the Apache Software Foundation, specifically version 2.1.7. No other product versions were mentioned. Users of this library who connect to LDAP servers over TLS should verify that the certificate returned by the server matches the expected hostname to avoid the risk of impersonation.

Risk and Exploitability

With a CVSS score of 8.8, this issue is considered high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker who can intercept traffic and supply a certificate that is trusted by the client's trust store. Once the MITM is in place, the client will accept the certificate despite hostname mismatches, enabling the attacker to read, modify, or forge LDAP communications. The likely attack vector is a network MITM capable of presenting a trusted certificate.

Generated by OpenCVE AI on June 1, 2026 at 08:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of Apache Directory LDAP API where hostname verification is enforced (2.1.8 or later).
  • If an upgrade is not feasible, remove or restrict certificates in the client’s trust store that cannot be verified against the targeted LDAP server’s hostname.
  • Configure the LDAP client to enforce hostname verification manually, rejecting any certificate whose subject does not match the expected LDAP server name.

Generated by OpenCVE AI on June 1, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 09:30:00 +0000

Type Values Removed Values Added
References

Mon, 01 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache directory Ldap Api
Vendors & Products Apache
Apache directory Ldap Api

Mon, 01 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Description It was identified that the LDAP client implementation in version 2.1.7 does not verify if the server certificate matches the intended LDAP hostname. While the underlying code validates the certificate chain against a trusted authority, the absence of endpoint identification allows a valid certificate issued for an entirely unrelated host to be improperly accepted. This oversight leaves the connection highly vulnerable to server impersonation and complete connection compromise. The root cause of this vulnerability lies in the incomplete TLS server identity verification within the LDAP client implementation. The attacker requires MITM capability on the network to exploit this vulnerability. This attacker must be able to present a certificate trusted by the client's configured trust store. The hostname verification has been enforced in the new version of the LDAP API
Title Apache Directory LDAP API: LDAP client implementation does not verify if the server certificate matches the intended LDAP hostname
Weaknesses CWE-297
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:L/SA:L'}

Subscriptions

Apache Directory Ldap Api
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-01T07:44:00.462Z

Reserved: 2026-04-03T13:46:12.414Z

Link: CVE-2026-35563

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-01T08:16:20.307

Modified: 2026-06-01T09:16:16.903

Link: CVE-2026-35563

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T08:30:24Z

Weaknesses