CVE-2026-32883

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-32883

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32883.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-32883

Aliases

GHSA-9j2j-hqmc-hf5x

Downstream

DEBIAN-CVE-2026-32883

UBUNTU-CVE-2026-32883

Published

2026-03-30T20:36:30.579Z

Modified

2026-04-02T13:41:31.026151Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Botan: Missing OCSP Response Signature Verification Allows MitM Certificate Revocation Bypass

Details

Botan is a C++ cryptography library. From version 3.0.0 to before version 3.11.0, during X509 path validation, OCSP responses were checked for an appropriate status code, but critically omitted verifying the signature of the OCSP response itself. This issue has been patched in version 3.11.0.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32883.json",
    "cwe_ids": [
        "CWE-347"
    ]
}

References

Affected packages

Git / github.com/randombit/botan

Affected ranges

Type

GIT

Repo

https://github.com/randombit/botan

Events

Introduced

51b06ca93d1998d19927699f78b8d67539148dde

Fixed

4f6f5bbaf7263ca6062e6644950ae30625f06490

Database specific

{
    "versions": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.11.0"
        }
    ]
}

Affected versions

3.*

3.0.0

3.1.0

3.1.1

3.10.0

3.2.0

3.3.0

3.4.0

3.5.0

3.6.0

3.6.1

3.7.0

3.7.1

3.8.0

3.8.1

3.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32883.json"