HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-35563Published Modified CNA apache

CVE-2026-35563: Apache Directory LDAP API: LDAP client implementation does not verify if the server certificate matches the intended LDAP hostname

It was identified that the LDAP client implementation in version 2.1.7 does not verify if the server certificate matches the intended LDAP hostname. While the underlying code validates the certificate chain against a trusted authority, the absence of endpoint identification allows a valid certificate issued for an entirely unrelated host to be improperly accepted. This oversight leaves the connection highly vulnerable to server impersonation and complete connection compromise. The root cause of this vulnerability lies in the incomplete TLS server identity verification within the LDAP client implementation. The attacker requires MITM capability on the network to exploit this vulnerability. This attacker must be able to present a certificate trusted by the client's configured trust store. The hostname verification has been enforced in the new version of the LDAP API

Metrics

CVSS v4.0
8.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a TLS hostname verification bypass in the Apache Directory LDAP API (versions up to and including 2.1.7). The LDAP client validates the certificate chain against a trusted authority but does not check whether the certificate's hostname matches the server it is actually connecting to, allowing an attacker with man-in-the-middle (MITM) position on the network to present any valid certificate from the same trust store and impersonate the intended LDAP server. Successful exploitation gives the attacker full visibility into LDAP traffic and the ability to tamper with directory responses. No fix version has been published upstream yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as a fix version is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-35563 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the Apache Directory LDAP API. Coverage applies at both registry scan time and inline CI/CD pipeline checkpoints.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v4.0 rating of 8.8 (HIGH) and weighting that score against each environment's compliance policy to determine breach-of-threshold status. Triage findings are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks the Apache advisory each ingest cycle and will make a patched-image rebuild available automatically the moment a remediated version is released. In the interim, the platform surfaces the affected images and their dependency paths so teams can apply compensating controls without waiting for an upstream patch.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be positioned on the network path between the LDAP client and server to intercept and modify the TLS handshake (AV:N).

  • AuthenticationRequired

    The attacker needs a low-privilege account or equivalent access to initiate or influence the LDAP connection that can be intercepted (PR:L).

  • Victim interactionNot required

    No action from a user or victim application is needed once the attacker has MITM position on the network path (UI:N).

  • Attack complexityDetail

    Exploitation requires specific pre-conditions: the attacker must have active MITM capability on the network and must possess or obtain a certificate trusted by the client's configured trust store (AC:H, AT:P).

Blast Radius

  • The attacker reads all LDAP traffic in plaintext, including authentication credentials, directory queries, and user or group records returned by the server.
  • The attacker modifies directory responses in transit, injecting false group memberships, altered user attributes, or fabricated authentication results.
  • Downstream systems that rely on LDAP for access control decisions inherit the tampered data, meaning authorization decisions across dependent services are affected (SC:H, SI:L).
  • Service availability is not directly impacted by this vulnerability; the LDAP service itself continues to respond normally from the legitimate server's perspective (VA:N, SA:L).

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix version exists for CVE-2026-35563 at this time, the platform monitors the Apache advisory on every ingest cycle and will trigger a patched-image rebuild automatically once Apache publishes a remediated release. For environments with auto-remediation enabled, that rebuild will include a regression-test run and a PR opened against affected workloads. While awaiting the upstream patch, teams can use HarborGuard's network-policy controls to restrict egress from containers using the Apache Directory LDAP API, limiting the network segments from which an MITM attack is feasible. Egress filtering to permit LDAP traffic only to known, explicitly authorized server addresses reduces the practical window for certificate substitution. Where compliance policy permits, flagging images containing versions at or below 2.1.7 as non-deployable to production is also available as an enforcement option until the upstream fix lands.

See how HarborGuard automates this
Affected packages
  • Apache Software Foundation / Apache Directory LDAP API
    ≤ 2.1.7
CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:L/SA:L
References