HSEC-2026-0008
See a problem?- Import Source
- https://github.com/haskell/security-advisories/blob/generated/osv-export/2026/HSEC-2026-0008.json
- JSON Data
- https://api.osv.dev/v1/vulns/HSEC-2026-0008
- Aliases
-
- CVE-2026-9648
- Published
- 2026-06-03T13:30:48Z
- Modified
- 2026-06-03T13:45:42.872452373Z
- Summary
- crypton-x509-validation and crypton-x509 do not enforce X.509 Name Constraints
- Details
-
crypton-x509-validation and crypton-x509 do not enforce X.509 Name Constraints
The
crypton-x509-validationandcrypton-x509libraries did not enforce the X.509 Name Constraints extension during certificate validation. The Name Constraints extension is a critical X.509 extension that restricts the namespace (permitted and excluded subtrees) for which a CA is authorized to issue certificates.Without this enforcement, a TLS client would accept certificates with Subject Alternative Names (SANs) that fall outside the issuing CA's permitted subtrees. An attacker with access to a name-constrained sub-CA's private key could therefore issue certificates for domains outside the sub-CA's intended scope, enabling impersonation of arbitrary domains and man-in-the-middle attacks on TLS connections.
The older
x509andx509-validationpackages are also affected but are no longer maintained and have no fix available.This issue was fixed in
crypton-x509-validation-1.9.1andcrypton-x509-1.9.1. - Database specific
{ "repository": "https://github.com/haskell/security-advisories", "home": "https://github.com/haskell/security-advisories", "osvs": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export" }- References
Affected packages
Hackage / crypton-x509-validation
Package
- Name
- crypton-x509-validation
- Purl
- pkg:hackage/crypton-x509-validation
Severity
- 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Database specific
source
"https://github.com/haskell/security-advisories/blob/generated/osv-export/2026/HSEC-2026-0008.json"
human_link
"https://github.com/haskell/security-advisories/tree/main/advisories/published/2026/HSEC-2026-0008.md"
osv
"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2026/HSEC-2026-0008.json"
Hackage / crypton-x509
Package
- Name
- crypton-x509
- Purl
- pkg:hackage/crypton-x509
Severity
- 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Database specific
source
"https://github.com/haskell/security-advisories/blob/generated/osv-export/2026/HSEC-2026-0008.json"
human_link
"https://github.com/haskell/security-advisories/tree/main/advisories/published/2026/HSEC-2026-0008.md"
osv
"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2026/HSEC-2026-0008.json"
Hackage / x509-validation
Package
- Name
- x509-validation
- Purl
- pkg:hackage/x509-validation
Severity
- 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Affected versions
1.*
Database specific
source
"https://github.com/haskell/security-advisories/blob/generated/osv-export/2026/HSEC-2026-0008.json"
human_link
"https://github.com/haskell/security-advisories/tree/main/advisories/published/2026/HSEC-2026-0008.md"
osv
"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2026/HSEC-2026-0008.json"
Hackage / x509
Package
- Name
- x509
- Purl
- pkg:hackage/x509
Severity
- 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Affected versions
1.*
Database specific
source
"https://github.com/haskell/security-advisories/blob/generated/osv-export/2026/HSEC-2026-0008.json"
human_link
"https://github.com/haskell/security-advisories/tree/main/advisories/published/2026/HSEC-2026-0008.md"
osv
"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2026/HSEC-2026-0008.json"