CVE-2026-45389: n/a
OCaml-TLS versions before 2.1.0 have a vulnerability in the server implementation related to client certificate authentication. The server does not properly verify the KeyUsage and ExtendedKeyUsage fields of client certificates, allowing an attacker to impersonate clients using certificates not intended for client authentication.
AI Analysis
Technical Summary
The vulnerability in OCaml-TLS prior to version 2.1.0 involves insufficient validation of client certificates during client authentication. Specifically, the server fails to enforce proper checks on the KeyUsage and ExtendedKeyUsage extensions of the certificate, which are critical to ensuring that a certificate is authorized for client authentication. This flaw could allow an attacker to use a certificate that is not meant for client authentication to impersonate a legitimate client to the server.
Potential Impact
An attacker could bypass intended certificate usage restrictions and impersonate a client by presenting a certificate that lacks the appropriate KeyUsage or ExtendedKeyUsage attributes for client authentication. This undermines the trust model of client authentication in OCaml-TLS servers and could lead to unauthorized access or actions performed under the guise of a legitimate client.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should consider alternative mitigations such as additional application-layer checks or disabling client certificate authentication if feasible.
CVE-2026-45389: n/a
Description
OCaml-TLS versions before 2.1.0 have a vulnerability in the server implementation related to client certificate authentication. The server does not properly verify the KeyUsage and ExtendedKeyUsage fields of client certificates, allowing an attacker to impersonate clients using certificates not intended for client authentication.
Affected software
pkg:golang/github.com/mirleft/ocaml-tlsRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in OCaml-TLS prior to version 2.1.0 involves insufficient validation of client certificates during client authentication. Specifically, the server fails to enforce proper checks on the KeyUsage and ExtendedKeyUsage extensions of the certificate, which are critical to ensuring that a certificate is authorized for client authentication. This flaw could allow an attacker to use a certificate that is not meant for client authentication to impersonate a legitimate client to the server.
Potential Impact
An attacker could bypass intended certificate usage restrictions and impersonate a client by presenting a certificate that lacks the appropriate KeyUsage or ExtendedKeyUsage attributes for client authentication. This undermines the trust model of client authentication in OCaml-TLS servers and could lead to unauthorized access or actions performed under the guise of a legitimate client.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should consider alternative mitigations such as additional application-layer checks or disabling client certificate authentication if feasible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2026-05-12T00:00:00.000Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3052e10b89be688882748f
Added to database: 6/15/2026, 7:30:41 PM
Last enriched: 6/15/2026, 8:02:04 PM
Last updated: 6/16/2026, 6:21:36 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.