CVE-2026-35563

EUVD-2026-33569

01.06.2026, 08:16

It was identified that the LDAP client implementation in version 2.1.7 does not verify if the server certificate matches the intended LDAP
hostname. While the underlying code validates the certificate chain
against a trusted authority, the absence of endpoint identification
allows a valid certificate issued for an entirely unrelated host to be
improperly accepted. This oversight leaves the connection highly
vulnerable to server impersonation and complete connection compromise.

The
root cause of this vulnerability lies in the incomplete TLS server
identity verification within the LDAP client implementation.

The attacker requires MITM capability on the network to exploit this vulnerability. This attacker must be able to present a certificate trusted by the client's configured trust store.

The hostname verification has been enforced in the new version of the LDAP API

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
apache	CNA	8.8 HIGH	NETWORK	HIGH	LOW	CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:L/SA:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 6%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
apache	directory_ldap_api	2.0.0 ≤ 𝑥 ≤ 2.1.7	CNA

Debian Releases

Debian Product

Codename

apache-directory-api

bookworm	vulnerable
bullseye	vulnerable
forky	vulnerable
sid	vulnerable
trixie	vulnerable

Common Weakness Enumeration

CWE-297 - Improper Validation of Certificate with Host Mismatch
The software communicates with a host that provides a certificate, but the software does not properly ensure that the certificate is actually associated with that host.

References

https://lists.apache.org/thread/5rc2nzqxp1m9wknyf93r8dnp46fhc1nn

http://www.openwall.com/lists/oss-security/2026/06/01/2