HIGH 8.5

CVE-2026-35563: Apache Directory LDAP API Hostname Verification Bypass

A flaw in Apache Directory LDAP API version 2.1.7 allows an attacker with network interception capability to impersonate an LDAP server. The library validates that a certificate is signed by a trusted authority but fails to confirm that the certificate was actually issued for the LDAP server being connected to. An attacker positioned between a client and server can present any valid certificate from their trust store, hijacking the connection and accessing sensitive authentication and directory data.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Weaknesses (CWE)
CWE-297
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

It was identified that the LDAP client implementation in version 2.1.7 does not verify if the server certificate matches the intended LDAP hostname. While the underlying code validates the certificate chain against a trusted authority, the absence of endpoint identification allows a valid certificate issued for an entirely unrelated host to be improperly accepted. This oversight leaves the connection highly vulnerable to server impersonation and complete connection compromise. The root cause of this vulnerability lies in the incomplete TLS server identity verification within the LDAP client implementation. The attacker requires MITM capability on the network to exploit this vulnerability. This attacker must be able to present a certificate trusted by the client's configured trust store. The hostname verification has been enforced in the new version of the LDAP API

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-35563 is a server identity verification bypass (CWE-297) in Apache Directory LDAP API 2.1.7. The TLS implementation performs chain validation against trusted certificate authorities but omits hostname verification, permitting an attacker with man-in-the-middle (MITM) capability to present a validly-signed certificate for an unrelated hostname. The server identity is never verified against the intended target, enabling complete connection compromise and impersonation of legitimate LDAP infrastructure.

Business impact

This vulnerability enables attackers to silently intercept and manipulate LDAP authentication flows. In enterprise environments where LDAP provides centralized authentication and directory services, a compromised connection could allow credential harvesting, unauthorized access to directory information (users, groups, roles), or injection of malicious authentication responses. The risk is amplified in on-premises deployments where LDAP credentials govern access to critical systems and applications.

Affected systems

Apache Directory LDAP API version 2.1.7 is affected. Systems using this library for LDAP client connections are at risk, particularly applications performing user authentication, directory lookups, or group membership queries. Organizations should identify all deployed applications that depend on this LDAP API version through software inventory and dependency scanning.

Exploitability

The vulnerability requires both network-level MITM positioning and possession of a valid certificate trusted by the target client's certificate store. The attacker does not need valid LDAP credentials (PR:L in the CVSS vector suggests low privilege escalation, but the actual attack posture requires network access). While the barrier to exploitation is moderate—requiring specific network conditions and a legitimate certificate—the impact is severe once achieved, making this a credible threat in environments with untrusted network segments or where LDAP traffic crosses security boundaries.

Remediation

Upgrade Apache Directory LDAP API to a version that enforces hostname verification. The vendor has released an updated version with hostname verification controls enabled by default. Organizations should prioritize patching systems performing LDAP authentication, particularly in production directory services and single sign-on (SSO) infrastructure. As an interim control, restrict LDAP client connections to trusted, isolated network segments and monitor for unexpected certificate warnings or connection failures.

Patch guidance

Verify the availability of a patched release from the Apache Directory project that re-enables or implements hostname verification. Apply patches first to non-production LDAP clients to validate compatibility with your authentication infrastructure. Test authentication flows, user lookups, and group membership queries after patching. Ensure that custom LDAP configurations or certificate pinning policies are reviewed post-update. Consult the vendor security advisory for specific version numbers and migration guidance.

Detection guidance

Monitor LDAP client logs for certificate validation warnings, hostname mismatches, or TLS errors during connection establishment. Network detection should flag unusual certificate presentations for LDAP ports (389, 636) where the Subject or Subject Alt Name does not match the destination hostname. Implement certificate pinning or strict hostname verification policies at the application level if the underlying LDAP library does not provide it. Review firewall and proxy logs for unexpected LDAP traffic redirects or certificate issuance anomalies.

Why prioritize this

This vulnerability merits rapid patching due to its HIGH severity score (8.5), broad impact scope (affects all confidentiality, integrity, and availability properties), and direct implications for authentication infrastructure. Although exploitation requires MITM positioning, organizations with distributed or hybrid network architectures, untrusted WiFi, or third-party LDAP services should treat this as a critical priority. Compromised LDAP flows directly undermine the security of downstream systems relying on directory authentication.

Risk score, explained

CVSS 3.1 score of 8.5 reflects high-impact consequences (C:H, I:H, A:H—full confidentiality, integrity, and availability compromise across scope change) balanced against moderate attack complexity (AC:H, requiring network positioning and a trusted certificate). The low privilege requirement (PR:L) reflects that an unauthenticated network attacker must first achieve MITM position but does not require prior system access. The score appropriately escalates this from a theoretical to a material threat.

Frequently asked questions

Does this vulnerability affect LDAP over TLS (LDAPS) connections?

Yes. The flaw lies in the client's failure to verify hostname identity after establishing a TLS connection, regardless of whether LDAPS (port 636) or LDAP with STARTTLS is used. Both encrypted transport modes are vulnerable because the certificate chain is validated but the certificate subject is never checked against the target server.

What is the difference between certificate chain validation and hostname verification?

Certificate chain validation confirms that a certificate was issued by a trusted Certificate Authority. Hostname verification confirms that the certificate was issued for the specific hostname or IP address you are connecting to. This vulnerability demonstrates why both checks are essential—a certificate can be perfectly valid but issued for an attacker's server rather than your LDAP directory.

Can this be exploited without a valid certificate?

No. The attacker must present a certificate that is already trusted by the client's certificate store (typically the system's root CA bundle or a custom store). However, certificates are routinely issued to multiple organizations and services, so obtaining a valid certificate for an unrelated hostname is feasible for an attacker with MITM capability.

Does my LDAP server need to be updated, or only the client library?

Only the LDAP client library needs to be updated. The vulnerability exists in client-side verification logic. However, ensure that your LDAP servers are configured to use certificates with correct hostnames and Subject Alt Names to support client-side hostname verification once patched.

This analysis is based on publicly available vulnerability data as of the publication date. CVSS scores and severity assessments reflect the CVSS v3.1 standard and may not capture organization-specific risk factors. Organizations should conduct their own risk assessments considering their LDAP deployment architecture, network security controls, and authentication criticality. Vendor patches and version numbers should be verified against official Apache Directory security advisories before implementation. This document does not constitute security advice and should be reviewed by qualified security personnel before any remediation decisions are made. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).