CVE-2026-55599
Summary
When an application validates an untrusted X.509 certificate with phpseclib, X509::validateSignature() reads a URL out of that certificate's Authority Information Access (AIA) extension and connects to it. Attacker who supplies certificate fully controls host, port, and path of that connection. URL fetching is enabled by default, and no destination is blocked. An unauthenticated attacker can therefore make a validating server open connections to internal hosts and ports it should never reach, for example loopback 127.0.0.1, cloud metadata address 169.254.169.254, and internal-only services. This is a server-side request forgery (SSRF) caused by an insecure default. It is reproducible on current released LTS 3.0.53 and on 4.0 development line.
Details
When no already-trusted certificate authority is the issuer of certificate under validation, validateSignatureCountable() continues to AIA fetching. Default for validateSignature() is caonly = true:
// phpseclib/File/X509.php:1316-1327 (4.0 development line, commit 74ada1a6)
if (!isset($signingCert)) {
if ($caonly) {
return $this->testForIntermediate(true, $count) && $this->validateSignature(true);
} else {
try {
$this->testForSelfSigned();
$signingCert = $this;
} catch (BadMethodCallException) {
return $this->testForIntermediate(true, $count) && $this->validateSignature(true);
}
}
}
testForIntermediate() takes URL straight out of certificate's AIA caIssuers field and fetches it. Value comes directly from certificate content and is never restricted:
// phpseclib/File/X509.php:1357-1391 (4.0 development line)
$opts = $this->getExtension('id-pe-authorityInfoAccess');
...
foreach ($opts['extnValue'] as $opt) {
if ($opt['accessMethod'] == 'id-ad-caIssuers') {
if (isset($opt['accessLocation']['uniformResourceIdentifier'])) {
$url = (string) $opt['accessLocation']['uniformResourceIdentifier']; // attacker controlled
break;
}
}
}
...
$cert = static::fetchURL($url); // server-side request forgery
fetchURL() conne
⚡ Watch CVE-2026-55599
Get an email if CVE-2026-55599 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.13% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 3% of all EPSS-scored CVEs.
Advisory coverage (1)
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-55599)