PatchSiren cyber security CVE debrief
CVE-2026-45389 OCaml CVE debrief
A vulnerability was discovered in OCaml-TLS before version 2.1.0. The server implementation performs insufficient checks on the certificate provided by the client during client authentication. This flaw allows for impersonation using certificates that are not intended for client authentication, due to improper validation of KeyUsage and ExtendedKeyUsage.
- Vendor
- OCaml
- Product
- OCaml-TLS
- CVSS
- HIGH 7.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-17
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-17
Who should care
Users of OCaml-TLS before version 2.1.0, especially those who rely on client authentication in their TLS connections, should be aware of this vulnerability.
Technical summary
The vulnerability exists in the server implementation of OCaml-TLS before 2.1.0. During client authentication, the server does not properly check the client's certificate, specifically regarding its KeyUsage and ExtendedKeyUsage. This oversight enables an attacker to impersonate clients using certificates not meant for client authentication.
Defensive priority
High
Recommended defensive actions
- Update to OCaml-TLS version 2.1.0 or later.
- Review and adjust client authentication configurations to ensure proper certificate validation.
- Consider implementing additional security measures, such as certificate pinning or stricter certificate validation rules.
Evidence notes
The CVE record indicates that the vulnerability was published and modified on June 15, 2026. The source item URL suggests that this information comes from the NVD database.
Official resources
-
CVE-2026-45389 CVE record
CVE.org
-
CVE-2026-45389 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-45389 was published and modified on 2026-06-15T20:16:28.470Z.