How is CVE-2026-45388 exploited?

Network reachability (required): The attacker must reach the affected service over the network; the component is exposed via standard network connectivity with no physical or local access requirement. Authentication (not-required): No credentials or account of any kind are needed to attempt exploitation; the vulnerability is exposed to unauthenticated network peers. Victim interaction (not-required): No user action such as clicking a link or opening a file is required; exploitation proceeds without any victim participation. Attack complexity (info): The exploit is reliable and condition-free, requiring no race condition or specific memory layout; an attacker simply presents a mis-typed certificate during the TLS handshake.

What is the impact of CVE-2026-45388?

An attacker impersonates a trusted TLS server, causing the OCaml-TLS client to establish a session with a malicious endpoint it believes to be legitimate. All data sent by the client over the spoofed TLS session is readable by the attacker, including credentials, session tokens, and application payloads. All data received by the client can be substituted or modified by the attacker, allowing injection of arbitrary application-layer content.

Back to search

CRITICALCVE-2026-45388Published 2026-06-15Modified 2026-06-16CNA mitre

CVE-2026-45388: In OCaml-TLS before 2

In OCaml-TLS before 2.1.0, the client implementation does insufficient checks of the certificate provided by the server, which allows impersonation with certificates that are not meant for server authentication (because of KeyUsage and ExtendedKeyUsage).

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an authentication bypass vulnerability in the OCaml-TLS library affecting its TLS client implementation. The flaw is reachable over the network without any authentication, allowing a network attacker to impersonate a legitimate TLS server by presenting a certificate that lacks the proper KeyUsage or ExtendedKeyUsage extensions for server authentication. Successful exploitation lets an attacker intercept and read encrypted traffic and tamper with data in transit. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment a fix version is released.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle OCaml-TLS as a dependency.

Available

Triage

HarborGuard scores this finding at 9.1 CRITICAL using the published CVSS v3.1 vector, and per-environment compliance policy weighting is applied to prioritize and route the alert to the appropriate team inbox within each customer organization.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream project ships a fix. In the meantime, advisory status updates are surfaced in each customer environment as they become available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the affected service over the network; the component is exposed via standard network connectivity with no physical or local access requirement.
AuthenticationNot required
No credentials or account of any kind are needed to attempt exploitation; the vulnerability is exposed to unauthenticated network peers.
Victim interactionNot required
No user action such as clicking a link or opening a file is required; exploitation proceeds without any victim participation.
Attack complexityDetail
The exploit is reliable and condition-free, requiring no race condition or specific memory layout; an attacker simply presents a mis-typed certificate during the TLS handshake.

Blast Radius

An attacker impersonates a trusted TLS server, causing the OCaml-TLS client to establish a session with a malicious endpoint it believes to be legitimate.
All data sent by the client over the spoofed TLS session is readable by the attacker, including credentials, session tokens, and application payloads.
All data received by the client can be substituted or modified by the attacker, allowing injection of arbitrary application-layer content.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-45388 at this time, the platform monitors the advisory on every ingest cycle and will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression-test run and a PR against affected workloads the moment OCaml-TLS publishes a fix. While no patch is available, customers can apply compensating controls such as network-policy isolation to restrict which services can initiate outbound TLS connections using affected images, egress filtering to limit reachable TLS endpoints to known-good addresses, and feature-flag gating to disable functionality that depends on the vulnerable client path. Advisory status updates appear in the HarborGuard finding detail as the upstream situation evolves.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

osv.dev

Metrics

Get notified