MEDIUM 5.3

CVE-2026-42769: OpenSSL CMP Root CA Certificate Validation Bypass

A defect in OpenSSL's Certificate Management Protocol (CMP) implementation allows an attacker with valid Registration Authority credentials to trick CMP clients into accepting a forged root CA certificate as legitimate. The flaw stems from a typo in certificate chain validation code that disabled critical signature verification checks during root CA key rollover operations. While the vulnerability requires the attacker to already possess RA-level credentials, successful exploitation would grant them root CA authority over affected clients—a significant privilege escalation. The FIPS module implementation of OpenSSL is not affected.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-295
Affected products
2 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Issue Summary: An error in the callback used to verify the certificate provided in a Root CA key update Certificate Management Protocol (CMP) message response rendered the certificate validation ineffectual, which could lead to escalation of credentials from the Registration Authority (RA) level to the root Certification Authority (root CA) level. Impact Summary: The Registration Autority could replace the root CA certificate for the CMP clients with an arbitrary root CA certificate. One of the parts of the Certificate Management Protocol (CMP), specified in RFC 9810, is Root Certification Authority (root CA) key Rollover, which is sent by the server in a message with type 'id-it-rootCaKeyUpdate'. As part of these messages, 'newWithOld' certificate, the new root CA certificate signed with the old root CA key, is provided, and verifying its signature is crucial for transferring the trust from the old CA key to the new one. The 'id-it-rootCaKeyUpdate' messages are expected to be processed with OSSL_CMP_get1_rootCaKeyUpdate(), that is expected to verify the 'newWithOld' certificate. A typo in the certificate chain building code led to adding an incorrect certificate ('newWithOld' instead of 'oldRoot') to the certificate chain, rendering the certificate verification process ineffectual (only the issuer name and the algorithm OIDs were verified by other parts of the verification code). An attacker who already has credentials that satisfy the CMP message protection checks can generate a new key pair and use a crafted self-signed certificate in its 'id-it-rootCaKeyUpdate' CMP messages which affected CMP clients would accept as a new trust anchor. Significant preconditions for the attack (having valid RA-level credentials) are the reason the issue was assigned Low severity. The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-42769 involves a certificate verification failure in OpenSSL's handling of the 'id-it-rootCaKeyUpdate' CMP message type defined in RFC 9810. When processing root CA key rollover messages, the OSSL_CMP_get1_rootCaKeyUpdate() function is responsible for validating the 'newWithOld' certificate (the new root CA cert signed by the old root CA key) to establish trust chain continuity. A typo in the certificate chain building logic incorrectly adds the 'newWithOld' certificate itself to the verification chain instead of the 'oldRoot' certificate, nullifying cryptographic signature verification. The verification code then only checks issuer name and algorithm OIDs—insufficient to prevent substitution of an arbitrary self-signed certificate. An attacker with RA-level CMP message protection credentials can craft a malicious 'id-it-rootCaKeyUpdate' message containing their own certificate, which vulnerable clients will accept as a valid new trust anchor. FIPS-mode OpenSSL is unaffected as the vulnerable code lies outside FIPS module boundaries.

Business impact

Successful exploitation enables privilege escalation from RA to root CA level within PKI deployments relying on OpenSSL CMP clients. An attacker could issue arbitrary certificates, intercept encrypted communications, and impersonate any entity in the affected trust domain. Organizations using CMP for automated root CA key rotation face potential compromise of their entire certificate infrastructure. However, real-world impact is constrained by the precondition of needing valid RA credentials—typically limiting attacks to insider threats, compromised RA systems, or scenarios where an attacker has already breached the PKI registration service. Remediation requires patching and verification that no unauthorized root CA certificates were installed during key rotation operations.

Affected systems

OpenSSL versions containing the vulnerable CMP implementation are affected. The defect applies specifically to OpenSSL installations outside FIPS mode. Organizations should identify all CMP client deployments using non-FIPS OpenSSL that perform or accept root CA key rollover operations. Common scenarios include automated certificate renewal systems, distributed PKI client nodes, and certificate management appliances. OpenSSL FIPS module instances are inherently protected by architectural separation, but hybrid deployments mixing FIPS and non-FIPS code paths require careful inventory.

Exploitability

The vulnerability carries a CVSS 3.1 score of 5.3 (Medium severity) with a vector reflecting low attack complexity but high privilege bar: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N. Exploitation requires the attacker to already possess valid RA-level credentials and CMP message protection keys—a significant precondition that restricts the threat to scenarios involving insider access, credential compromise, or RA infrastructure breach. The attack is network-accessible and requires no user interaction once credentials are obtained. Practical exploitation depends on timing access to a legitimate root CA key rollover window and injecting the malicious 'id-it-rootCaKeyUpdate' message into the CMP transaction flow. The vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities (KEV) catalog.

Remediation

Apply security updates from OpenSSL that correct the certificate chain building logic in the OSSL_CMP_get1_rootCaKeyUpdate() function. Verify the patch against the official OpenSSL security advisory to confirm the typo fix and restoration of proper 'oldRoot' certificate chain construction. Organizations should also audit recent root CA key rollover operations in their CMP logs to detect whether any unauthorized root certificates were installed. Consider implementing additional monitoring on CMP message processing to alert on certificate verification anomalies. If root CA compromise is suspected, conduct a forensic review of issued certificates and consider revoking the affected root and reissuing the complete certificate hierarchy.

Patch guidance

Consult the OpenSSL security advisory accompanying this CVE for specific patched version numbers and release dates. Apply patches to all non-FIPS OpenSSL deployments, prioritizing systems actively performing CMP-based root CA key rollover. Test patches in a staging environment with a known root CA rollover cycle to verify that certificate chain verification is properly enforced before production deployment. Coordinate patching with your PKI lifecycle schedule to avoid disrupting planned key rotation windows. Note that systems running OpenSSL in FIPS mode do not require remediation, though maintaining parity across your OpenSSL fleet is advisable for consistency.

Detection guidance

Monitor CMP transaction logs and OpenSSL debug output for any 'id-it-rootCaKeyUpdate' message processing, particularly entries that succeed in installing a new root CA certificate. Anomalies include: certificate chain verification steps that appear to be skipped or incomplete, unexpected root certificates in the trust store post-rollover, or multiple rollover messages for the same root CA within an abnormal timeframe. Implement logging of the full 'newWithOld' certificate content during verification to enable forensic analysis. If available, enable OpenSSL diagnostic logging or use packet-level capture of CMP protocol exchanges to reconstruct the certificates presented in recent key rollover events. Cross-reference installed root certificates with your PKI documentation to identify any out-of-band additions.

Why prioritize this

Prioritize remediation based on the scope of your CMP client deployment and the frequency of root CA key rollover operations. Organizations actively using CMP for automated PKI management should patch immediately, as they represent the most likely attack surface. Insider threat and supply-chain compromise scenarios elevate risk if your RA infrastructure or CMP client systems are high-value targets. However, the requirement for pre-existing RA credentials significantly constrains the threat model—this is not a wormable or widespread network vulnerability. Patch scheduling should integrate with planned root CA key rotation activities to minimize operational disruption while closing the window of exposure.

Risk score, explained

The CVSS 3.1 score of 5.3 reflects a Medium severity rating driven by the high confidentiality impact (C:H) of potential certificate abuse, offset by the substantial privilege and complexity preconditions. A successful attacker can issue forged certificates without detection (confidentiality breach of trust), but cannot directly cause service unavailability or data corruption (I and A are N). The AC:H (High attack complexity) and PR:L (Low privilege requirement, interpreted as RA-level credentials) appropriately capture the significant setup barrier. The rating correctly avoids either overstating the risk (given the credential precondition) or understating it (given the severity of root CA compromise if successful). Organizations should apply their own risk context: insider-threat-heavy environments may warrant upgrading priority despite the CVSS rating.

Frequently asked questions

Does this vulnerability affect OpenSSL FIPS implementations?

No. The vulnerable code lies outside the OpenSSL FIPS module boundary. Systems running OpenSSL in FIPS mode are architecturally protected and do not require remediation for this CVE.

What credentials are required to exploit this vulnerability?

The attacker must already possess valid Registration Authority (RA) level credentials and the ability to generate CMP messages that pass message protection checks (signature or MAC verification). This typically implies access to compromised RA systems or stolen RA private keys. Possession of credentials alone is insufficient; the attacker must also intercept or forge a CMP 'id-it-rootCaKeyUpdate' message at a time when the client is expecting root CA key rollover.

How can we detect if this vulnerability was exploited in our environment?

Audit your CMP transaction logs and root CA certificate store to identify any root certificates installed outside of your planned key rollover schedule. Compare the subject and public key of current root CA certificates against your PKI documentation. If you retain CMP protocol logs, examine 'id-it-rootCaKeyUpdate' messages to verify that the 'newWithOld' certificate issuer matches your old root CA certificate. A mismatch or an unexpected issuer name is a strong indicator of exploitation.

Is there a workaround if we cannot patch immediately?

Temporarily disable or restrict CMP-based root CA key rollover operations until patches are applied. If manual root CA key rotation is feasible in your PKI, you can substitute CMP automation with offline procedures during the interim. Additionally, implement strict network access controls and audit logging around RA systems and CMP clients to reduce the risk of credential compromise. However, these are temporary mitigations; patching is the definitive remediation.

This analysis is based on publicly available vulnerability data as of the publication date. Patch version numbers, vendor advisory links, and specific affected OpenSSL versions should be verified against official OpenSSL security announcements. This vulnerability requires pre-existing RA credentials; it is not a remotely exploitable unauthenticated vulnerability. Organizations should conduct their own risk assessment in the context of their PKI architecture, credential security posture, and CMP deployment footprint. No exploit code or weaponized proof-of-concept is provided. This explainer does not constitute professional security advice; consult your security team and vendor guidance for deployment-specific remediation decisions. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).