CVE-2026-54919

Source
https://cve.org/CVERecord?id=CVE-2026-54919
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54919.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54919
Aliases
  • GHSA-8ffh-4p95-g3p2
Downstream
Published
2026-07-10T16:06:12.848Z
Modified
2026-07-15T01:49:21.196117770Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
cpp-httplib: TLS certificate chain verification bypassed for IP-literal hosts on Mbed TLS and wolfSSL backends
Details

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In affected Mbed TLS backend versions from 0.31.0 through 0.46.1 and wolfSSL backend versions from 0.33.0 through 0.46.1, when cpp-httplib is built with CPPHTTPLIBMBEDTLSSUPPORT or CPPHTTPLIBWOLFSSLSUPPORT and a client connects to an IP-literal host with server certificate verification enabled, SSLClient and Client in HTTPS mode skip certificate chain validation and WebSocketClient on the Mbed TLS backend skips verification altogether, allowing a man-in-the-middle attacker positioned to intercept traffic to present a crafted certificate and read or modify the traffic. This issue is fixed in version 0.47.0.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-295"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54919.json"
}
References

Affected packages

Git / github.com/yhirose/cpp-httplib

Affected ranges

Type
GIT
Repo
https://github.com/yhirose/cpp-httplib
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0.31.0"
        },
        {
            "fixed": "0.47.0"
        }
    ]
}

Affected versions

Other
latest
v0.*
v0.31.0
v0.32.0
v0.33.0
v0.33.1
v0.34.0
v0.35.0
v0.37.0
v0.37.1
v0.37.2
v0.38.0
v0.39.0
v0.40.0
v0.41.0
v0.42.0
v0.43.0
v0.43.1
v0.43.2
v0.43.3
v0.43.4
v0.44.0
v0.45.0
v0.45.1
v0.46.0
v0.46.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54919.json"