anonhaven
Ad

CVE-2026-33810

HIGH CVSS 3.1: 8.2 EPSS 0.01%
Updated Apr 17, 2026
Golang
Parameter Value
CVSS 8.2 (HIGH)
Affected Versions 1.26.0 — 1.26.2
Fixed In 1.26.2
Type CWE-295 (Improper Certificate Validation)
Vendor Golang
Public PoC No

When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-295 Improper Certificate Validation

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Golang Go
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
 1.26.0 1.26.2

References 4

https://go.dev/cl/763763
security@golang.org
https://go.dev/issue/78332
security@golang.org
https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU
security@golang.org
https://pkg.go.dev/vuln/GO-2026-4866
security@golang.org
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-32289

Go Standard Library

6.1

CVE-2026-32288

Go Standard Library

5.5

CVE-2026-32283

Golang

7.5

CVE-2026-32282

Golang

6.4

CVE-2026-32281

Golang

7.5