CVE-2026-33810
Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
1th
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
| Vendor | go standard library |
| Product | crypto/x509 |
| Published | Apr 8, 2026 |
| Last Updated | Apr 20, 2026 |
Stay Ahead of the Next One
Get instant alerts for go standard library crypto/x509
Be the first to know when new high vulnerabilities affecting go standard library crypto/x509 are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Go standard library / crypto/x509
1.26.0-0 < 1.26.2
References
go.dev: https://go.dev/cl/763763 go.dev: https://go.dev/issue/78332 groups.google.com: https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU pkg.go.dev: https://pkg.go.dev/vuln/GO-2026-4866 openwall.com: http://www.openwall.com/lists/oss-security/2026/04/19/4 openwall.com: http://www.openwall.com/lists/oss-security/2026/04/20/1
Credits
Riyas from Saintgits College of Engineering k1rnt @1seal