How is CVE-2026-45389 exploited?

Network reachability (required): The vulnerable TLS server must be reachable over the network; an attacker sends a crafted client certificate during a TLS handshake from a remote connection. Authentication (not-required): No prior credentials are needed; the flaw exists precisely in the authentication step, so an attacker with no account can exploit it by presenting an unintended certificate. Victim interaction (not-required): The attack is fully server-side and requires no action from any user or administrator on the target system. Attack complexity (info): Exploit conditions are reliable and free of race conditions or environmental dependencies; a suitable non-client-auth certificate is the only prerequisite.

What is the impact of CVE-2026-45389?

An attacker reads data the server exposes to authenticated clients, including session tokens, application records, or other protected resources. An attacker modifies or submits data as an impersonated client identity, potentially altering persisted records or triggering privileged application actions. Availability is not directly impacted according to the CVSS scoring (A:N), so service disruption is not a direct outcome of this exploit path. Any system relying on mutual TLS for access control is fully bypassed, meaning downstream services that trust the impersonated client identity are also exposed.

Back to search

CRITICALCVE-2026-45389Published 2026-06-15Modified 2026-06-16CNA mitre

CVE-2026-45389: In OCaml-TLS before 2

In OCaml-TLS before 2.1.0, the server implementation does insufficient checks of the certificate provided by the client (when doing client authentication), which allows impersonation with certificates that are not meant for client authentication (because of KeyUsage and ExtendedKeyUsage).

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability exists in the OCaml-TLS server implementation before version 2.1.0. The server fails to properly validate whether a client-provided certificate is actually permitted for client authentication, specifically by skipping checks on KeyUsage and ExtendedKeyUsage certificate extensions. This allows a remote, unauthenticated attacker to impersonate a legitimate client using any certificate not intended for client authentication, gaining unauthorized access to data and the ability to tamper with protected resources. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix version is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-45389 is available across every HarborGuard environment, with ingestion from upstream advisory feeds typically occurring within minutes of publication and matching applied against all images in customer registries and CI/CD pipelines. Coverage extends to custom-built images that bundle OCaml-TLS, including internally maintained base images.

Available

Triage

HarborGuard scores this CVE at CVSS 9.1 (Critical) using the published v3.1 vector, and per-environment compliance policy weighting can escalate or adjust routing based on each organization's risk thresholds. Triage results are routed to the appropriate team inbox within each customer org according to configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on each ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. Where compliance policy permits auto-remediation, the rebuild, regression run, and PR against affected workloads will be initiated without manual intervention once a fix version appears.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable TLS server must be reachable over the network; an attacker sends a crafted client certificate during a TLS handshake from a remote connection.
AuthenticationNot required
No prior credentials are needed; the flaw exists precisely in the authentication step, so an attacker with no account can exploit it by presenting an unintended certificate.
Victim interactionNot required
The attack is fully server-side and requires no action from any user or administrator on the target system.
Attack complexityDetail
Exploit conditions are reliable and free of race conditions or environmental dependencies; a suitable non-client-auth certificate is the only prerequisite.

Blast Radius

An attacker reads data the server exposes to authenticated clients, including session tokens, application records, or other protected resources.
An attacker modifies or submits data as an impersonated client identity, potentially altering persisted records or triggering privileged application actions.
Availability is not directly impacted according to the CVSS scoring (A:N), so service disruption is not a direct outcome of this exploit path.
Any system relying on mutual TLS for access control is fully bypassed, meaning downstream services that trust the impersonated client identity are also exposed.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix version has been published for CVE-2026-45389, the platform monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment OCaml-TLS 2.1.0 or a later fix release appears. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point, with no manual intervention required. In the interim, compensating controls worth considering include network-policy isolation to restrict which clients can initiate TLS connections to services using OCaml-TLS for mutual authentication, egress filtering to limit lateral movement if a bypass succeeds, and feature-flag or configuration gating to disable client-certificate authentication on endpoints where it is not strictly required. HarborGuard will notify affected environments through the configured alerting channels as soon as a fix version is available upstream.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

osv.dev

Metrics

Get notified