CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-11703

highCVSS 7.5covered by 2 sourcesfirst seen 2026-06-09
Missing SNI/ALPN binding on stateful (session-ID) resumption, which previously skipped the binding check performed for ticket-based resumption. A cached session could be resumed under a different SNI/ALPN than originally negotiated and, where client-authentication policy differs across virtual hosts, carry the cached peer-authentication state into a context it was not established for. Resumption now verifies the SNI/ALPN binding for all paths and declines (falling back to a full handshake) on mismatch.

CSIRTS triage

Other
What
Missing SNI/ALPN binding on stateful TLS session resumption.
Who is affected
Users of affected TLS implementations.
Urgency
Remediation is urgent due to the high severity of the vulnerability.
Action
Implement necessary configurations to ensure SNI/ALPN binding.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-11703

Get an email if CVE-2026-11703 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-11703

CVE.org record

Embed the live status

CVE-2026-11703 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-11703 status](https://www.csirts.com/badge/CVE-2026-11703)](https://www.csirts.com/cve/CVE-2026-11703)