{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-34873", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-02T16:24:46.024Z", "dateReserved": "2026-03-31T00:00:00.000Z", "datePublished": "2026-04-01T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-01T20:11:08.336Z"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in Mbed TLS 3.5.0 through 4.0.0. Client impersonation can occur while resuming a TLS 1.3 session."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories/"}, {"url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-client-impersonation-while-resuming-tls13-session/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-287", "lang": "en", "description": "CWE-287 Improper Authentication"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T15:54:35.519227Z", "id": "CVE-2026-34873", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T16:24:46.024Z"}}]}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Mbed TLS 3.5.0 through 4.0.0. Client impersonation can occur while resuming a TLS 1.3 session."}], "id": "CVE-2026-34873", "lastModified": "2026-04-01T21:17:01.990", "metrics": {}, "published": "2026-04-01T21:17:01.990", "references": [{"source": "cve@mitre.org", "url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories/"}, {"source": "cve@mitre.org", "url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-client-impersonation-while-resuming-tls13-session/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{"bugzilla": {"description": "mbedtls: Mbed TLS: Client impersonation during TLS 1.3 session resumption", "id": "2454108", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454108"}, "csaw": false, "cvss3": {"cvss3_base_score": "10.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-290", "details": ["An issue was discovered in Mbed TLS 3.5.0 through 4.0.0. Client impersonation can occur while resuming a TLS 1.3 session.", "A flaw was found in Mbed TLS. This vulnerability allows a remote attacker to impersonate a client during the resumption of a TLS 1.3 session. This could lead to unauthorized access or other security breaches by allowing the attacker to act as a legitimate client."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-34873", "public_date": "2026-04-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34873\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34873\nhttps://mbed-tls.readthedocs.io/en/latest/security-advisories/\nhttps://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-client-impersonation-while-resuming-tls13-session/"], "statement": "This Critical flaw in Mbed TLS allows a remote attacker to impersonate a client during TLS 1.3 session resumption, potentially leading to unauthorized access. Red Hat products utilizing Mbed TLS for client-side TLS 1.3 session resumption are affected if this feature is enabled.", "threat_severity": "Critical"}

{}