Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

cryptography has incomplete DNS name constraint enforcement on peer names

RSS Feed LOW
GHSA-m959-cc7f-wv43 CVE-2026-34073
Description:

Summary

In versions of cryptography prior to 46.0.5, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com.

This behavior resulted from a gap between RFC 5280 (which defines Name Constraint semantics) and RFC 9525 (which defines service identity semantics): put together, neither states definitively whether Name Constraints should be applied to peer names. To close this gap, cryptography now conservatively rejects any validation where the peer name would be rejected by a name constraint if it were a SAN instead.

In practice, exploitation of this bypass requires an uncommon X.509 topology, one that the Web PKI avoids because it exhibits these kinds of problems. Consequently, we consider this a medium-to-low impact severity.

See CVE-2025-61727 for a similar bypass in Go's crypto/x509.

Remediation

Users should upgrade to 46.0.6 or newer.

Attribution

Reporter: @1seal

Affected Packages
Ecosystem Package Vulnerable Versions Patched Version
pypi cryptography < 46.0.6
 46.0.6
Related Dependabot Pull Requests
All Open Closed Merged
chore(deps-dev): update sqlalchemy-exasol requirement from <3.0,>=2.4.0 to >=2.4.0,<8.0
Open 3 days ago
arsenyspb/superset #133
pip:sqlalchemy-exasol
arsenyspb
Bump the uv group across 1 directory with 8 updates
Open 4 days ago
GlacierEQ/graphiti #2
pip:python-multipart pip:urllib3 +6 more
GlacierEQ
build(deps): bump the uv group across 2 directories with 17 updates
Closed 4 days ago
open-webui/open-webui #24734
pip:lxml pip:python-multipart +12 more
open-webui
build(deps): bump the uv group across 1 directory with 6 updates
Open 4 days ago
GlacierEQ/langflow #40
pip:cryptography pip:requests +4 more
GlacierEQ
build(deps): bump the pip group across 2 directories with 8 updates
Closed 5 days ago
open-webui/open-webui #24699
pip:python-multipart pip:cryptography +6 more
open-webui
Bump the uv group across 1 directory with 7 updates
Open 5 days ago
GlacierEQ/code-graph-mcp #2
pip:black pip:python-multipart +5 more
GlacierEQ
build(deps): bump the uv group across 1 directory with 10 updates
Open 5 days ago
GlacierEQ/bigcases2 #2
pip:django pip:urllib3 +8 more
GlacierEQ
build(deps): bump the pip group across 2 directories with 8 updates
Closed 5 days ago
open-webui/open-webui #24694
pip:python-multipart pip:cryptography +6 more
open-webui
Bump the pip group across 1 directory with 6 updates
Open 5 days ago
MTES-MCT/apilos #2165
pip:setuptools pip:lxml +4 more
MTES-MCT
Build(deps): bump the uv group across 2 directories with 5 updates
Open 5 days ago
Idun-Group/idun-agent-platform #652
pip:python-multipart pip:urllib3 +3 more
Idun-Group
chore(deps)(deps): bump the minor-and-patch group across 1 directory with 24 updates
Open 7 days ago
outshift-open/ioc-cfn-mgmt-backend-svc #32
pip:coverage pip:uvicorn +21 more
outshift-open
chore(deps): bump the pip group across 2 directories with 7 updates
Closed 7 days ago
pilotwaffle/TORQ-CONSOLE #167
pip:django pip:jinja2 +5 more
pilotwaffle
chore(deps): bump the pip group across 2 directories with 1 update
Open 9 days ago
TruvetaPublic/OpenLinkToken #331
pip:cryptography
TruvetaPublic
Bump the uv group across 2 directories with 16 updates
Closed 10 days ago
open-webui/open-webui #24478
pip:lxml pip:python-multipart +11 more
open-webui
Bump the pip group across 2 directories with 8 updates
Closed 10 days ago
open-webui/open-webui #24446
pip:python-multipart pip:cryptography +6 more
open-webui
Bump the pip group across 2 directories with 8 updates
Closed 10 days ago
open-webui/open-webui #24442
pip:python-multipart pip:cryptography +6 more
open-webui
Bump the pip group across 4 directories with 7 updates
Closed 11 days ago
XavierMP14/uv #16
pip:uv pip:cryptography +5 more
XavierMP14
chore(deps): bump the uv group across 3 directories with 8 updates
Closed 11 days ago
AKJUS/semgrep #204
pip:protobuf pip:python-multipart +4 more
AKJUS
Bump the uv group across 2 directories with 23 updates
Closed 12 days ago
open-webui/open-webui #24422
pip:werkzeug pip:lxml +17 more
open-webui
Bump the pip group across 3 directories with 9 updates
Closed 12 days ago
nssuwan186-dev/uv #15
pip:setuptools pip:jinja2 +4 more
nssuwan186-dev
Bump cryptography from 45.0.4 to 46.0.7
Closed 14 days ago
Velocidex/pyvelociraptor #38
pip:cryptography
Velocidex
Bump the uv group across 2 directories with 24 updates
Closed 14 days ago
open-webui/open-webui #24366
pip:torch pip:werkzeug +18 more
open-webui
chore(deps): bump the uv group across 1 directory with 4 updates
Closed 15 days ago
Canner/WrenAI #2213
pip:lxml pip:python-multipart +2 more
Canner
Bump cryptography from 46.0.5 to 46.0.7
Open 15 days ago
TECHKNOWMAD-LABS/pitch-critic #7
pip:cryptography
TECHKNOWMAD-LABS
chore(deps): bump cryptography from 46.0.5 to 46.0.7
Closed 16 days ago
rame10566/smartledger #2
pip:cryptography
rame10566
Bump the uv group across 1 directory with 5 updates
Open 16 days ago
jayvicsanantonio/blender-mcp #2
pip:h11 pip:cryptography +3 more
jayvicsanantonio
Bump cryptography from 44.0.2 to 46.0.7
Closed 17 days ago
hawkli-1994/CF-Ares #16
pip:cryptography
hawkli-1994
chore(deps): bump the uv group across 4 directories with 10 updates
Open 17 days ago
langwatch/langwatch #3684
pip:tornado pip:python-multipart +5 more
langwatch
chore(deps): bump the uv group across 4 directories with 12 updates
Closed 17 days ago
langwatch/langwatch #3677
pip:tornado pip:python-multipart +7 more
langwatch
chore(deps): bump the uv group across 3 directories with 6 updates
Open 17 days ago
langwatch/langwatch #3676
pip:tornado pip:cryptography +4 more
langwatch
chore(deps): bump the uv group across 4 directories with 13 updates
Open 17 days ago
langwatch/langwatch #3672
pip:tornado pip:python-multipart +8 more
langwatch
build(deps): bump cryptography from 45.0.4 to 46.0.7
Closed 17 days ago
danielsimonjr/Windows-mcp #8
pip:cryptography
danielsimonjr
chore(deps): bump the uv group across 1 directory with 3 updates
Closed 18 days ago
langwatch/langwatch #3649
pip:black pip:cryptography +1 more
langwatch
Bump cryptography from 46.0.5 to 46.0.7
Open 18 days ago
introspection-org/introspection-python-sdk #7
pip:cryptography
introspection-org
Bump the pip group across 1 directory with 3 updates
Open 19 days ago
joseguzman1337/MITMf #6
pip:lxml pip:cryptography +1 more
joseguzman1337
build(deps): bump cryptography from 46.0.4 to 46.0.7 in /backend
Closed 19 days ago
tresor-del/esat_hub #20
pip:cryptography
tresor-del
chore(deps): bump cryptography from 45.0.4 to 46.0.7 in /rs/rosetta-api/examples/icrc1/python
Open 20 days ago
alialobidm/ic #3
pip:cryptography
alialobidm
Bump cryptography from 46.0.5 to 46.0.7 in /server
Open 20 days ago
SURFscz/SBS #2365
pip:cryptography
SURFscz
build(deps): bump the minor-updates group across 1 directory with 23 updates
Closed 21 days ago
awslabs/mcp-server-for-oscal #112
pip:boto3 pip:uvicorn +21 more
awslabs
Bump cryptography from 1.7.2 to 46.0.7
Open 22 days ago
bvolpato/superset #1
pip:cryptography
bvolpato
chore(deps): bump cryptography from 45.0.4 to 46.0.7
Open 22 days ago
bvolpato/mcp-atlassian #1
pip:cryptography
bvolpato
build(deps): bump the uv group across 1 directory with 6 updates
Open 23 days ago
yaennu/jazzy #131
pip:python-multipart pip:pytest +4 more
yaennu
Bump the pip group across 1 directory with 5 updates
Open 23 days ago
edwardtheharris/dotfiles #457
pip:urllib3 pip:cryptography +3 more
edwardtheharris
chore(deps): bump cryptography from 46.0.5 to 46.0.7
Closed 24 days ago
HKUSTDial/DeepEye #2
pip:cryptography
HKUSTDial
Bump the pip group across 2 directories with 3 updates
Open 24 days ago
fitanon/square-notion-sync #9
pip:cryptography pip:requests +1 more
fitanon
chore(deps): bump the uv group across 2 directories with 5 updates
Closed 24 days ago
Project-Tick/Project-Tick #35
pip:urllib3 pip:cryptography +3 more
Project-Tick
Bump the pip group across 1 directory with 5 updates
Closed 24 days ago
Aarogaming/AaroneousAutomationSuite #270
pip:python-multipart pip:pytest +3 more
Aarogaming
chore(deps): Bump cryptography from 43.0.3 to 46.0.7 in /apps/myrestaurantreviews/backend
Open 25 days ago
jykwon91/MyFreeApps #17
pip:cryptography
jykwon91
chore: bump the python-minor-patch group across 2 directories with 20 updates
Open 25 days ago
ianlasic03/open-wearables-demo #15
pip:boto3 pip:fastapi +17 more
ianlasic03
chore(deps): update cryptography requirement from <47.0.0,>=44.0.3 to >=46.0.7,<47.0.0
Closed 25 days ago
bybatkhuu/module-python-utils #38
pip:cryptography
bybatkhuu
Actions
View on GitHub All Advisories
Advisory Details
Published: March 27, 2026 about 2 months ago
Updated: April 26, 2026 22 days ago
CVSS Score: 1.7 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
EPSS: 0.01% 1th percentile
Source: Github
Classification: GENERAL
UUID: GSA_kwCzR0hTQS1tOTU5LWNjN2Ytd3Y0M84ABUZe
PR Statistics
PR Status
Open 204 (28.0%)
Merged 0 (0.0%)
Closed 524 (72.0%)
Update Types
Major 309 (14.9%)
Minor 680 (32.8%)
Patch 1032 (49.8%)
References