CVE-2026-34582: CWE-841: Improper Enforcement of Behavioral Workflow in randombit botan
CVE-2026-34582 is a high-severity vulnerability in the Botan C++ cryptography library prior to version 3. 11. 1. The TLS 1. 3 implementation allowed ApplicationData records to be processed before the Finished message was received. This flaw enables a client to bypass server-enforced client authentication by omitting the Certificate, CertificateVerify, and Finished messages and sending application data records instead. The issue is fixed in Botan version 3. 11. 1.
AI Analysis
Technical Summary
Botan versions before 3.11.1 have a vulnerability in their TLS 1.3 implementation where ApplicationData records can be processed before the Finished handshake message is received. This improper enforcement of the TLS workflow (CWE-841) allows a client to bypass client certificate authentication on the server by skipping the Certificate, CertificateVerify, and Finished messages and sending application data directly. This undermines the intended authentication mechanism. The vulnerability has a CVSS 4.0 score of 8.7, indicating high severity. The issue is resolved in Botan 3.11.1.
Potential Impact
A server relying on Botan versions prior to 3.11.1 for TLS 1.3 and enforcing client authentication via certificates can be bypassed by a malicious client. The client can omit critical handshake messages and send application data prematurely, potentially allowing unauthorized access or communication without proper authentication.
Mitigation Recommendations
Upgrade Botan to version 3.11.1 or later, where this vulnerability is fixed. Patch status is not explicitly stated beyond the fixed version, but upgrading to 3.11.1 is the recommended remediation. There is no indication of alternative mitigations or temporary fixes.
CVE-2026-34582: CWE-841: Improper Enforcement of Behavioral Workflow in randombit botan
Description
CVE-2026-34582 is a high-severity vulnerability in the Botan C++ cryptography library prior to version 3. 11. 1. The TLS 1. 3 implementation allowed ApplicationData records to be processed before the Finished message was received. This flaw enables a client to bypass server-enforced client authentication by omitting the Certificate, CertificateVerify, and Finished messages and sending application data records instead. The issue is fixed in Botan version 3. 11. 1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Botan versions before 3.11.1 have a vulnerability in their TLS 1.3 implementation where ApplicationData records can be processed before the Finished handshake message is received. This improper enforcement of the TLS workflow (CWE-841) allows a client to bypass client certificate authentication on the server by skipping the Certificate, CertificateVerify, and Finished messages and sending application data directly. This undermines the intended authentication mechanism. The vulnerability has a CVSS 4.0 score of 8.7, indicating high severity. The issue is resolved in Botan 3.11.1.
Potential Impact
A server relying on Botan versions prior to 3.11.1 for TLS 1.3 and enforcing client authentication via certificates can be bypassed by a malicious client. The client can omit critical handshake messages and send application data prematurely, potentially allowing unauthorized access or communication without proper authentication.
Mitigation Recommendations
Upgrade Botan to version 3.11.1 or later, where this vulnerability is fixed. Patch status is not explicitly stated beyond the fixed version, but upgrading to 3.11.1 is the recommended remediation. There is no indication of alternative mitigations or temporary fixes.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T16:56:30.999Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d5779eaaed68159a6ad783
Added to database: 4/7/2026, 9:31:10 PM
Last enriched: 4/15/2026, 3:54:24 PM
Last updated: 5/22/2026, 5:36:59 PM
Views: 72
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.