External risk intelligence

OCaml-TLS Client Authentication Bypass Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-45389

A vulnerability in OCaml-TLS server implementations allows clients to bypass authentication by presenting certificates not intended for client authentication due to insufficient validation. This could enable impersonation and unauthorized access to services that rely on client certificate authentication. The relevance

3Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-45389

The vulnerability exists in a TLS library implementation. While TLS libraries are frequently used in internet-facing services, the specific flaw concerns client authentication certificate validation. This configuration is often used in restricted environments like private APIs or mutual-TLS setups, making widespread public internet exposure less certain than a standard web server vulnerability.

PCI scan relevance

PCI Relevance for CVE-2026-45389

Yes

CVE-2026-45389 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in OCaml-TLS could lead to an automatic PCI scan failure due to improper client certificate validation, allowing for impersonation.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Horizon Alert

Summary of the vulnerability and why it matters

A security vulnerability has been identified in a widely used TLS library, potentially allowing attackers to impersonate legitimate clients. This issue stems from insufficient checks on client-provided certificates, enabling the use of improper credentials for authentication. The main concern is confirming relevance and exposure within our systems.

  • Weak certificate checks allow unauthorized client impersonation.
  • Matters due to widespread use of TLS for secure connections.
  • Assess if client authentication is used and confirm exposure.

Attack Path

How an attacker could exploit the issue

An attacker could impersonate a legitimate client to a vulnerable server by using a certificate that isn't intended for client authentication. This is possible because the server doesn't properly verify the client's certificate during the authentication process. If successful, this could allow the attacker to gain unauthorized access or perform actions as the impersonated client.

  • No authentication required.
  • Server insufficiently checks client certificate.
  • Impersonation and unauthorized access.

Live Threat

Current exploitation, exposure, and threat context

The OCaml-TLS library's server-side client authentication could be vulnerable to impersonation. This occurs when the server does not adequately verify client certificates, potentially accepting those not intended for client authentication. This could allow an attacker to impersonate a legitimate client when supported by the advisory.

  • Compromised client credentials.
  • Impersonation via invalid certificates.
  • Unauthorized access to protected services.

Operational Fix

Recommended remediation, mitigation, and detection steps

The OCaml-TLS vulnerability impacts the server's client authentication process, suggesting that teams managing services that require client-side certificates for authentication are most likely responsible. The immediate priority is to identify all instances of OCaml-TLS used for server-side client authentication, determine their exposure and criticality, and then assign ownership for remediation planning.

  • Application owners should own the issue.
  • Verify TLS server client authentication usage.
  • Plan remediation based on identified risk.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is OCaml-TLS?

OCaml-TLS is a security library written in OCaml that provides Transport Layer Security (TLS) implementations. Developers use it to add secure, encrypted communication to their software applications, ensuring data privacy and integrity between a client and a server. It is a functional-language alternative to traditional C-based TLS libraries.

How does CVE-2026-45389 work?

This vulnerability is an improper certificate validation issue. The server fails to properly check the KeyUsage or ExtendedKeyUsage fields in a client's certificate during authentication. Because of this, the server might accept a certificate for a purpose it was never meant for, allowing an attacker to present an invalid or incorrectly scoped certificate to successfully impersonate a legitimate client.

Can any TLS connection trigger this bug?

No. The flaw specifically affects the server-side logic when the server is configured to perform client authentication. If the server does not require certificates to authenticate clients, this specific vulnerability is not triggered. Standard TLS connections that only authenticate the server to the client are not impacted by this impersonation flaw.

Is my system at risk according to Halo Surface Signal?

Halo Surface Signal notes that while TLS libraries are common in internet-facing services, this bug specifically impacts mutual-TLS or restricted private API setups. This means your exposure depends on whether your services use client-side certificate validation, which is often found in internal or specialized environments rather than typical public web traffic.

What should I do if I use OCaml-TLS?

Begin by auditing your infrastructure to identify which applications use OCaml-TLS and specifically enable client-side certificate authentication. Once identified, confirm if these services are exposed to untrusted networks. Coordinate with your development teams to verify if your library version is earlier than 2.1.0 and plan for an update to a patched version.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified