๐Ÿ” CVE Alert

CVE-2026-53712

UNKNOWN 0.0

SCRAM: Silent channel-binding authentication downgrade via unsupported certificate algorithms

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

SCRAM (Salted Challenge Response Authentication Mechanism) is part of the family of Simple Authentication and Security Layer (SASL, RFC 4422) authentication mechanisms. Prior to 3.3, a flaw in com.ongres.scram:scram-client and com.ongres.scram:scram-common allows an attacker capable of a TLS man-in-the-middle attack to silently downgrade a connection from SCRAM-SHA-256-PLUS with channel binding to standard SCRAM-SHA-256 without channel binding when TlsServerEndpoint processes an X.509 certificate using a modern signature algorithm such as Ed25519; getChannelBindingData() can return an empty byte array after NoSuchAlgorithmException, and the ScramClient builder treats that as absent channel-binding data. This issue is fixed in version 3.3.

CWE CWE-636 CWE-757
Vendor ongres
Product scram
Published Jul 17, 2026
Last Updated Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for ongres scram

Be the first to know when new unknown vulnerabilities affecting ongres scram are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

ongres / scram
< 3.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/ongres/scram/security/advisories/GHSA-p9jg-fcr6-3mhf github.com: https://github.com/ongres/scram/releases/tag/3.3