DNS Name Constraints Issue in Cryptography Package by PyCA
CVE-2026-34073

1.7LOW

Key Information:

Vendor: Pyca
Status: Cryptography
Vendor: CVE Published:; 31 March 2026

What is CVE-2026-34073?

The cryptography package, used for exposing cryptographic primitives and recipes to Python developers, contained a flaw prior to version 46.0.6 in how DNS name constraints were validated. The validation only checked SANs within child certificates, not the peer name during each validation process. As a result, a malicious peer name like bar.example.com could be incorrectly validated against a wildcard certificate for *.example.com, which could lead to potential security risks. This issue has been resolved in version 46.0.6.

Affected Version(s)

cryptography < 46.0.6

References

https://github.com/pyca/cryptography/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

1.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 31, 2026
Vulnerability Reserved
Mar 25, 2026

CVE-2026-34073 Data

JSON

Pyca

What is CVE-2026-34073?

Affected Version(s)

References

CVSS V4

Timeline