Not Failing Securely ('Failing Open') Affecting com.ongres.scram:scram-common package, versions [,3.3)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-COMONGRESSCRAM-17810278
  • published3 Jul 2026
  • disclosed1 Jul 2026
  • creditKEIJOT

Introduced: 1 Jul 2026

NewCVE-2026-53712  (opens in a new tab)
CWE-636  (opens in a new tab)

How to fix?

Upgrade com.ongres.scram:scram-common to version 3.3 or higher.

Overview

Affected versions of this package are vulnerable to Not Failing Securely ('Failing Open') in the TlsServerEndpoint process when a server presents an X.509 certificate using a modern signature algorithm lacking traditional naming structures. An attacker can bypass strict client-side enforcement policies by performing a TLS man-in-the-middle attack that silently downgrades authentication from channel-bound to non-channel-bound modes. This is only exploitable if the downstream application layer explicitly enforces strict channel binding enforcement.

CVSS Base Scores

version 4.0
version 3.1