CVE-2026-55599

MEDIUM 5.8

phpseclib: X.509 certificate validation sends attacker-controlled outbound requests (server-side request forgery) via Authority Information Access

CVSS Score

5.8

EPSS Score

0.0%

EPSS Percentile

0th

phpseclib is a PHP secure communications library. From 0.1.1 until 1.0.30, 2.0.55, and 3.0.54, when an application validates an untrusted X.509 certificate with phpseclib, X509::validateSignature() reads a URL out of that certificate's Authority Information Access (AIA) extension and connects to it. Attacker who supplies certificate fully controls host, port, and path of that connection. URL fetching is enabled by default, and no destination is blocked. An unauthenticated attacker can therefore make a validating server open connections to internal hosts and ports it should never reach, for example loopback 127.0.0.1, cloud metadata address 169.254.169.254, and internal-only services. This is a server-side request forgery (SSRF) caused by an insecure default. This vulnerability is fixed in 1.0.30, 2.0.55, and 3.0.54.

CWE	CWE-918
Vendor	phpseclib
Product	phpseclib
Published	Jun 22, 2026

Stay Ahead of the Next One

Get instant alerts for phpseclib phpseclib

Be the first to know when new medium vulnerabilities affecting phpseclib phpseclib are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

phpseclib / phpseclib

>= 0.1.1, < 1.0.30 >= 2.0.0, < 2.0.55 >= 3.0.0, < 3.0.54

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/phpseclib/phpseclib/security/advisories/GHSA-m557-wrgg-6rp4