CVE-2026-35563: CWE-297 Improper Validation of Certificate with Host Mismatch in Apache Software Foundation Apache Directory LDAP API
It was identified that the LDAP client implementation in version 2.1.7 does not verify if the server certificate matches the intended LDAP hostname. While the underlying code validates the certificate chain against a trusted authority, the absence of endpoint identification allows a valid certificate issued for an entirely unrelated host to be improperly accepted. This oversight leaves the connection highly vulnerable to server impersonation and complete connection compromise. The root cause of this vulnerability lies in the incomplete TLS server identity verification within the LDAP client implementation. The attacker requires MITM capability on the network to exploit this vulnerability. This attacker must be able to present a certificate trusted by the client's configured trust store. The hostname verification has been enforced in the new version of the LDAP API
AI Analysis
Technical Summary
The LDAP client implementation in Apache Directory LDAP API version 2.1.7 and earlier does not perform hostname verification on the server certificate during TLS connections. While the certificate chain is validated against trusted certificate authorities, the client accepts certificates valid for unrelated hosts due to missing endpoint identification. This improper validation (CWE-297) allows an attacker with man-in-the-middle capabilities and a certificate trusted by the client to impersonate the LDAP server, leading to potential connection compromise. The issue is resolved by enforcing hostname verification in newer LDAP API versions.
Potential Impact
An attacker capable of man-in-the-middle attacks who can present a certificate trusted by the client's trust store can impersonate the LDAP server, leading to a complete compromise of the LDAP connection. This undermines the confidentiality and integrity of data transmitted over the LDAP connection.
Mitigation Recommendations
Hostname verification has been enforced in newer versions of the Apache Directory LDAP API. Users should upgrade to a version that includes this fix to ensure proper TLS server identity verification. Patch status is not explicitly confirmed in the advisory; therefore, verify the vendor advisory for the latest remediation guidance.
CVE-2026-35563: CWE-297 Improper Validation of Certificate with Host Mismatch in Apache Software Foundation Apache Directory LDAP API
Description
It was identified that the LDAP client implementation in version 2.1.7 does not verify if the server certificate matches the intended LDAP hostname. While the underlying code validates the certificate chain against a trusted authority, the absence of endpoint identification allows a valid certificate issued for an entirely unrelated host to be improperly accepted. This oversight leaves the connection highly vulnerable to server impersonation and complete connection compromise. The root cause of this vulnerability lies in the incomplete TLS server identity verification within the LDAP client implementation. The attacker requires MITM capability on the network to exploit this vulnerability. This attacker must be able to present a certificate trusted by the client's configured trust store. The hostname verification has been enforced in the new version of the LDAP API
CVSS v4.0
Score 8.8high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The LDAP client implementation in Apache Directory LDAP API version 2.1.7 and earlier does not perform hostname verification on the server certificate during TLS connections. While the certificate chain is validated against trusted certificate authorities, the client accepts certificates valid for unrelated hosts due to missing endpoint identification. This improper validation (CWE-297) allows an attacker with man-in-the-middle capabilities and a certificate trusted by the client to impersonate the LDAP server, leading to potential connection compromise. The issue is resolved by enforcing hostname verification in newer LDAP API versions.
Potential Impact
An attacker capable of man-in-the-middle attacks who can present a certificate trusted by the client's trust store can impersonate the LDAP server, leading to a complete compromise of the LDAP connection. This undermines the confidentiality and integrity of data transmitted over the LDAP connection.
Mitigation Recommendations
Hostname verification has been enforced in newer versions of the Apache Directory LDAP API. Users should upgrade to a version that includes this fix to ensure proper TLS server identity verification. Patch status is not explicitly confirmed in the advisory; therefore, verify the vendor advisory for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-04-03T13:46:12.414Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1d4e79e29bf47b50cd4b6b
Added to database: 6/1/2026, 9:18:49 AM
Last enriched: 6/1/2026, 9:33:27 AM
Last updated: 6/2/2026, 7:22:47 AM
Views: 29
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.