CVE-2026-45389
HighCVSS 7.4Exploitation Probability (EPSS)
Low risk13th percentile — higher than 13% of all known CVEs
Summary
In OCaml-TLS before version 2.1.0, the server implementation does insufficient checks of the certificate provided by the client during client authentication. This allows impersonation with certificates that are not meant for client authentication.
Risk Assessment
Organizations may be exposed to impersonation attacks, which can lead to unauthorized access to resources and data.
Recommendation
It is recommended to update OCaml-TLS to version 2.1.0 or later to ensure proper certificate checks during client authentication.
Original NVD description (English source)
In OCaml-TLS before 2.1.0, the server implementation does insufficient checks of the certificate provided by the client (when doing client authentication), which allows impersonation with certificates that are not meant for client authentication (because of KeyUsage and ExtendedKeyUsage).

