PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-35563 Apache Software Foundation CVE debrief

An LDAP client implementation in version 2.1.7 fails to perform TLS endpoint identification (hostname verification), allowing a valid certificate for an unrelated host to be accepted if the certificate chain validates against a trusted authority. The vulnerability requires an attacker with network MITM capability who can present a certificate trusted by the client's configured trust store. The root cause is incomplete TLS server identity verification in the LDAP client. Hostname verification has been enforced in a newer version of the LDAP API.

Vendor
Apache Software Foundation
Product
Apache LDAP API
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-01
Original CVE updated
2026-06-01
Advisory published
2026-06-01
Advisory updated
2026-06-01

Who should care

Organizations using LDAP client version 2.1.7 for directory services authentication or queries, particularly those operating over untrusted or shared networks where MITM attacks are feasible.

Technical summary

CVE-2026-35563 is a HIGH severity vulnerability (CVSS 8.8) in an LDAP client implementation version 2.1.7. The client validates the certificate chain against trusted authorities but does not verify that the server certificate matches the intended LDAP hostname (endpoint identification). This allows a valid certificate issued for an unrelated host to be improperly accepted, enabling server impersonation and connection compromise via MITM attack. The attacker must have network MITM capability and present a certificate trusted by the client's configured trust store. The vulnerability is classified as CWE-297 (Improper Validation of Certificate with Host Mismatch). Hostname verification has been enforced in a newer version of the LDAP API.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade to the new version of the LDAP API that enforces hostname verification.
  • Verify that all LDAP client deployments using version 2.1.7 or earlier have been updated.
  • Review TLS configuration for LDAP connections to ensure endpoint identification is enabled.
  • Audit certificate trust stores to remove unnecessary or overly broad trusted certificates.
  • Monitor network traffic for unexpected LDAP connection terminations or certificate mismatches after patching.

Evidence notes

The CVE description states the LDAP client in version 2.1.7 does not verify if the server certificate matches the intended LDAP hostname. The underlying code validates the certificate chain against a trusted authority, but endpoint identification is absent. The attacker requires MITM capability and ability to present a certificate trusted by the client's trust store. Hostname verification has been enforced in the new version of the LDAP API. The NVD record lists CWE-297 (Improper Validation of Certificate with Host Mismatch). References include an Apache mailing list thread and an Openwall oss-security post.

Official resources

2026-06-01