Bypass Vulnerability in PHP Secure Communications Library by phpseclib
CVE-2026-44167

7.5HIGH

Key Information:

Vendor: PHPseclib
Status: PHPseclib
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-44167?

The PHP secure communications library phpseclib prior to versions 1.0.29, 2.0.54, and 3.0.52 is susceptible to a bypass vulnerability when handling untrusted ASN1 files, such as X509 certificates and RSA PKCS8 keys. This issue allows potential security risks regarding the integrity and confidentiality of data when these files are loaded. Users are encouraged to upgrade to the latest versions to mitigate this vulnerability and safeguard their applications.

Affected Version(s)

phpseclib >= 3.0.0, < 3.0.52 < 3.0.0, 3.0.52

phpseclib >= 2.0.0, < 2.0.54 < 2.0.0, 2.0.54

phpseclib >= 0.1.1, < 1.0.29 < 0.1.1, 1.0.29

References

https://github.com/phpseclib/phpseclib/security/advisorie...

x_refsource_CONFIRM

https://github.com/phpseclib/phpseclib/commit/d53d2021bcb...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44167 Data

JSON

PHPseclib

What is CVE-2026-44167?

Affected Version(s)

References

CVSS V3.1

Timeline