DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33753: CVE-2026-33753: Trust Boundary Confusion and Authorization Bypass in rfc3161-client

#security #cve #cybersecurity

CVE-2026-33753: Trust Boundary Confusion and Authorization Bypass in rfc3161-client

Vulnerability ID: CVE-2026-33753
CVSS Score: 6.2
Published: 2026-04-08

The rfc3161-client Python library prior to version 1.0.6 contains a trust boundary confusion vulnerability in its Time-Stamp Protocol (TSP) implementation. A flawed topological heuristic used for identifying the signer's leaf certificate allows an attacker to inject spoofed certificates and bypass authorization checks.

TL;DR

An adversary-in-the-middle can spoof TimeStamping Authority identities in rfc3161-client < 1.0.6 by injecting crafted certificates into the PKCS#7 bag, bypassing Common Name validation.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-295
  • Attack Vector: Local / Adversary-in-the-Middle
  • CVSS Score: 6.2
  • Impact: Authorization Bypass
  • Exploit Status: Proof of Concept
  • CISA KEV: Not Listed

Affected Systems

  • rfc3161-client < 1.0.6
  • rfc3161-client: < 1.0.6 (Fixed in: 1.0.6)

Code Analysis

Commit: 4f7d372

Fix for GHSA-3xxc-pwj6-jgrj: Replace heuristic with explicit issuerAndSerialNumber lookup

Exploit Details

  • Regression Test: Regression test included in the fix commit demonstrates the vulnerability.

Mitigation Strategies

  • Upgrade rfc3161-client to version 1.0.6 or newer.
  • Implement strong TLS certificate pinning for all communications with TimeStamping Authorities.
  • Monitor incoming TimeStampResponses for unusual or overly large certificate bags.

Remediation Steps:

  1. Identify all projects utilizing the rfc3161-client dependency.
  2. Update the dependency explicitly to version 1.0.6 in requirements.txt, Pipfile, or pyproject.toml.
  3. Run the test suite to ensure the updated strictly-enforced validation logic does not break integration with internal PKI infrastructure.
  4. Deploy the updated application to production environments.

References

Read the full report for CVE-2026-33753 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)