TLS 1.3 Post-Handshake Authentication Flaw in wolfSSL Products
CVE-2026-55962

6MEDIUM

Key Information:

Vendor: Wolfssl
Status: Wolfssl
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-55962?

A vulnerability in wolfSSL's implementation of TLS 1.3 post-handshake authentication allows servers to accept a client's Finished message without the necessary client Certificate and CertificateVerify. This flaw occurs because the exemption for an empty or absent peer certificate was misapplied to post-handshake scenarios, which should have required these certificates. The fix restricts this exemption to the initial handshake, ensuring that once a post-handshake CertificateRequest has been sent, the server mandates a valid peer certificate and CertificateVerify prior to accepting the Finished message. Only servers utilizing post-handshake authentication and configured to request client certificates are impacted by this security issue.

Affected Version(s)

wolfSSL 5.5.4 <= 5.9.1

References

https://github.com/wolfSSL/wolfssl/pull/10702

patch

https://www.wolfssl.com/docs/security-vulnerabilities/

CVSS V4

Score:

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 17, 2026

Credit

NVIDIA Project Vanessa

CVE-2026-55962 Data

JSON

Wolfssl

What is CVE-2026-55962?

Affected Version(s)

References

CVSS V4

Timeline

Credit