Description
A vulnerability was determined in Cesanta Mongoose up to 7.20. Affected is the function mg_tls_verify_cert_signature of the file mongoose.c of the component P-384 Public Key Handler. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. Attacks of this nature are highly complex. The exploitability is told to be difficult. The exploit has been publicly disclosed and may be utilized. Upgrading to version 7.21 is able to address this issue. This patch is called 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Published: 2026-04-02
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization bypass
Action: Immediate Patch
AI Analysis

Impact

The flaw exists in the mg_tls_verify_cert_signature function within mongoose.c, part of Cesanta Mongoose’s P‑384 Public Key Handler. A crafted request can manipulate the signature verification logic, allowing an attacker to bypass the certificate validation that is normally performed during TLS handshakes. Because the vulnerability grants authorization bypass, an attacker who exploits it could elevate privileges or gain unauthorized access to protected resources, compromising confidentiality, integrity, or availability of services that rely on proper certificate validation.

Affected Systems

Cesanta Mongoose is affected on versions up to 7.20 inclusive. The fix is delivered in release 7.21, which incorporates the commit 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. Systems deploying any earlier build of Mongoose should review their version number and apply the upgrade.

Risk and Exploitability

The CVSS base score is 6.3, indicating moderate severity. The EPSS score is unavailable, but the exploitability is described as difficult and the attack can be launched remotely, suggesting limited but non‑negligible risk. Because the vulnerability is not listed in the CISA KEV database, it has not yet been confirmed as a known exploited vulnerability, yet public disclosure may lead to future attacks. Until the product is patched, the window of opportunity remains open for attackers who can target systems that still use Mongoose 7.20 or earlier.

Generated by OpenCVE AI on April 2, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cesanta Mongoose to version 7.21 or later to apply the signature verification fix.
  • Confirm that the mg_tls_verify_cert_signature function in your deployment incorporates the patch commit.
  • Monitor Cesanta release notes and security advisories for any further updates or additional workarounds.

Generated by OpenCVE AI on April 2, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Cesanta Mongoose up to 7.20. Affected is the function mg_tls_verify_cert_signature of the file mongoose.c of the component P-384 Public Key Handler. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. Attacks of this nature are highly complex. The exploitability is told to be difficult. The exploit has been publicly disclosed and may be utilized. Upgrading to version 7.21 is able to address this issue. This patch is called 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Title Cesanta Mongoose P-384 Public Key mongoose.c mg_tls_verify_cert_signature authorization
First Time appeared Cesanta
Cesanta mongoose
Weaknesses CWE-285
CWE-639
CPEs cpe:2.3:a:cesanta:mongoose:*:*:*:*:*:*:*:*
Vendors & Products Cesanta
Cesanta mongoose
References
Metrics cvssV2_0

{'score': 5.1, 'vector': 'AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 5.6, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Cesanta Mongoose
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-02T13:07:02.788Z

Reserved: 2026-03-31T14:45:56.419Z

Link: CVE-2026-5246

cve-icon Vulnrichment

Updated: 2026-04-02T13:06:52.126Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T10:16:17.763

Modified: 2026-04-03T16:10:52.680

Link: CVE-2026-5246

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:21:34Z

Weaknesses