CVE-2026-53712

Source
https://cve.org/CVERecord?id=CVE-2026-53712
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53712.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53712
Aliases
Published
2026-07-17T18:19:11.896Z
Modified
2026-07-18T03:47:34.983549878Z
Severity
  • 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N CVSS Calculator
Summary
SCRAM: Silent channel-binding authentication downgrade via unsupported certificate algorithms
Details

SCRAM (Salted Challenge Response Authentication Mechanism) is part of the family of Simple Authentication and Security Layer (SASL, RFC 4422) authentication mechanisms. Prior to 3.3, a flaw in com.ongres.scram:scram-client and com.ongres.scram:scram-common allows an attacker capable of a TLS man-in-the-middle attack to silently downgrade a connection from SCRAM-SHA-256-PLUS with channel binding to standard SCRAM-SHA-256 without channel binding when TlsServerEndpoint processes an X.509 certificate using a modern signature algorithm such as Ed25519; getChannelBindingData() can return an empty byte array after NoSuchAlgorithmException, and the ScramClient builder treats that as absent channel-binding data. This issue is fixed in version 3.3.

Database specific
{
    "cwe_ids": [
        "CWE-636",
        "CWE-757"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53712.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/ongres/scram

Affected ranges

Type
GIT
Repo
https://github.com/ongres/scram
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.3"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

1.*
1.0.0-beta.2
1.9-beta1
2.*
2.0
2.0-beta1
2.0-beta2
2.0-beta3
2.1
3.*
3.0
3.1
3.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53712.json"