Description
A vulnerability was found in HybridAuth up to 3.12.2. This issue affects some unknown processing of the file src/HttpClient/Curl.php of the component SSL Handler. The manipulation of the argument curlOptions results in improper certificate validation. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-03-23
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Improper Certificate Validation Leading to Remote Exploitation
Action: Immediate Patch
AI Analysis

Impact

HybridAuth up to version 3.12.2 has a flaw in its SSL handling component, Curl.php, that allows an attacker to circumvent certificate checks by manipulating curlOptions. This improper certificate validation (CWE‑295) could let an attacker perform man‑in‑the‑middle or other credential‑stealing attacks, exposing confidential data, while the system may accept unauthorized connections (CWE‑287).

Affected Systems

The vulnerability is present in the HybridAuth library, including all versions up through 3.12.2, and affects any application that relies on that code for OAuth or other authentication flows.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. EPSS information is not available and the flaw is not listed in the CISA KEV catalog. Exploitation requires remote access, a high attack complexity, and is deemed difficult. Attackers could craft a request that overrides the curl options, forcing the library to accept untrusted certificates. Until the library is updated, this weakness remains exploitable.

Generated by OpenCVE AI on March 23, 2026 at 14:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update HybridAuth to a version newer than 3.12.2 if possible.
  • If an upgrade is not feasible at the moment, review application code to limit or sanitize curlOptions and consider disabling SSL verification only for trusted environments.
  • Monitor network traffic for anomalous SSL handshakes that indicate certificate validation bypass attempts.

Generated by OpenCVE AI on March 23, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r3hf-q3mf-7h6w HybridAuth Has Improper SSL Certificate Validation in Curl HTTP Client
History

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Hybridauth
Hybridauth hybridauth
Vendors & Products Hybridauth
Hybridauth hybridauth

Mon, 23 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 13:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in HybridAuth up to 3.12.2. This issue affects some unknown processing of the file src/HttpClient/Curl.php of the component SSL Handler. The manipulation of the argument curlOptions results in improper certificate validation. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The project was informed of the problem early through an issue report but has not responded yet.
Title HybridAuth SSL Curl.php certificate validation
Weaknesses CWE-287
CWE-295
References
Metrics cvssV2_0

{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:N/I:P/A:N/E:ND/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.7, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:R'}

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:R'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Hybridauth Hybridauth
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-23T13:46:08.559Z

Reserved: 2026-03-22T09:39:56.778Z

Link: CVE-2026-4587

cve-icon Vulnrichment

Updated: 2026-03-23T13:46:04.458Z

cve-icon NVD

Status : Deferred

Published: 2026-03-23T13:16:31.320

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-4587

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:49:08Z

Weaknesses