{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33810", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-03-23T20:35:32.814Z", "datePublished": "2026-04-08T01:06:56.546Z", "dateUpdated": "2026-04-08T01:06:56.546Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-08T01:06:56.546Z"}, "title": "Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509", "descriptions": [{"lang": "en", "value": "When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool."}], "affected": [{"vendor": "Go standard library", "product": "crypto/x509", "collectionURL": "https://pkg.go.dev", "packageName": "crypto/x509", "versions": [{"version": "1.26.0-0", "lessThan": "1.26.2", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "newDNSConstraints"}, {"name": "dnsConstraints.query"}, {"name": "Certificate.Verify"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-295: Improper Certificate Validation"}]}], "references": [{"url": "https://go.dev/cl/763763"}, {"url": "https://go.dev/issue/78332"}, {"url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4866"}], "credits": [{"lang": "en", "value": "Riyas from Saintgits College of Engineering"}, {"lang": "en", "value": "k1rnt"}, {"lang": "en", "value": "@1seal"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool."}], "id": "CVE-2026-33810", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T02:16:03.950", "references": [{"source": "security@golang.org", "url": "https://go.dev/cl/763763"}, {"source": "security@golang.org", "url": "https://go.dev/issue/78332"}, {"source": "security@golang.org", "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"}, {"source": "security@golang.org", "url": "https://pkg.go.dev/vuln/GO-2026-4866"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Awaiting Analysis"}

{}

{"analysis": {"en": {"generated_at": "2026-04-08T02:50:42.838332+00:00", "value": {"mitigation_remediation": ["Upgrade the Go runtime to the latest patched release that addresses issue\u00a078332, available in the official Go release channel or via the Go issue tracker at https://go.dev/issue/78332.", "If an immediate update is not feasible, modify the application\u2019s certificate policy to avoid relying on name constraints, or remove such constraints from any trusted root certificates used by VerifyOptions.Roots or the system pool.", "Continuously monitor Go project announcements and security advisories for interim mitigations or additional patches, ensuring the application\u2019s certificate handling remains compliant with updated standards."], "summary": {"action": "Patch promptly", "impact": "Authentication bypass via certificate validation"}, "threat_synthesis": {"affected_systems": "All versions of the Go runtime that use the crypto/x509 package without the fix are affected. The flaw impacts any application that performs certificate chain verification against a root CA in VerifyOptions.Roots CertPool or the system certificate pool. No specific version numbers are provided, indicating that any pre\u2011patched release is potentially vulnerable.", "description_and_impact": "The vulnerability resides in the Go standard library\u2019s crypto/x509 package, where excluded DNS constraints are not correctly applied to wildcard DNS subject alternative names that differ only in case from the constraint. This flaw enables an attacker to supply a certificate chain that passes validation checks while actually violating the intended name constraints, effectively bypassing authentication mechanisms that rely on strict certificate validation.", "risk_and_exploitability": "The vulnerability is not listed in the CISA KEV catalog and has no EPSS score, yet its potential to undermine trust in certificate chains makes it a high\u2011risk issue for systems enforcing name constraint policies. Exploitation requires the ability to supply a malicious certificate chain containing an excluded subtree constraint that differs only in case from a wildcard SAN. The attack vector is inferred to be either local or remote, depending on whether the target application accepts user\u2011supplied certificates, and could result in unauthorized access or privilege escalation within the affected application."}}}}, "created": "2026-04-08T19:44:24.085796+00:00", "updated": "2026-04-08T19:44:24.085838+00:00", "vendors": [], "weaknesses": ["CWE-295"]}