Certificate Verification Flaw in Go's Cryptography Module
CVE-2026-27137

7.5HIGH

Key Information:

Vendor: Go Standard Library
Status: Crypto/x509
Vendor: CVE Published:; 6 March 2026

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2026-27137?

A flaw in the certificate verification process of Go's cryptography module has been identified, where it fails to properly apply multiple email address constraints in a certificate chain. When dealing with certificates that have local portions that are identical yet differ in their domain portions, only the last specified constraint is acknowledged. This vulnerability could potentially lead to misconfigured security policies, allowing unintended access or verification issues, thus posing a risk to applications reliant on accurate certificate validation.

Affected Version(s)

crypto/x509 1.26.0-0 < 1.26.1

References

https://go.dev/cl/752182

https://go.dev/issue/77952

https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 6, 2026
Vulnerability Reserved
Feb 17, 2026

Credit

Jakub Ciolek

CVE-2026-27137 Data

JSON