Trust without verification: wolfSSL accepts forged certificate chains (CVE-2026-5501)
by Artem Safonov
A certificate validation bypass in wolfSSL's OpenSSL compatibility layer lets anyone holding a free Let's Encrypt cert forge a TLS chain for any domain. CVE-2026-5501 (CVSS 4.0 score 8.6) affects nginx and haproxy builds linked against wolfSSL. Patched in 5.9.1, …
Read more →