Improper Certificate Validation Affecting rustls-webpki package, versions >=0.101.0 <0.103.12>=0.104.0-alpha.1 <0.104.0-alpha.6
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-RUSTLSWEBPKI-16110814
- published22 Apr 2026
- disclosed16 Apr 2026
- creditOleh Konko
Introduced: 16 Apr 2026
New CVE NOT AVAILABLE CWE-295 (opens in a new tab)Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade rustls-webpki to version 0.103.12, 0.104.0-alpha.6 or higher.
Overview
Affected versions of this package are vulnerable to Improper Certificate Validation due to the incorrect acceptance of permitted subtree name constraints for DNS names in certificates asserting a wildcard name. An attacker can bypass intended name constraints by presenting a certificate with a wildcard DNS name that matches outside the permitted subtree after signature verification and in cases of certificate misissuance.
Note: This is only exploitable if a misissued certificate is accepted after signature verification.