CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-55960

highCVSS 7.5covered by 2 sourcesfirst seen 2026-06-09
Un-negotiated Raw Public Key (RFC 7250) accepted in place of an X.509 certificate, bypassing chain validation. A raw public key has no chain, so ParseCertRelative() accepts it without performing any trust verification; it must therefore only be accepted when RPK was actually negotiated for that peer. The check now defaults the expected type to X.509 (per RFC 7250/8446) when no type was negotiated, comparing against the received server certificate type on the client and the selected client certificate type on the server, and rejects any mismatch, including an un-negotiated raw public key, with UNSUPPORTED_CERTIFICATE. Only affects builds with Raw Public Key support (HAVE_RPK) enabled - disabled by default in a standalone build, but included in --enable-all.

CSIRTS triage

Other
What
Un-negotiated Raw Public Key is accepted, bypassing chain validation.
Who is affected
Systems using the affected cryptographic libraries.
Urgency
High urgency due to a CVSS score of 7.5, indicating significant risk.
Action
Implement the recommended security updates for the cryptographic libraries.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-55960

Get an email if CVE-2026-55960 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-55960

CVE.org record

Embed the live status

CVE-2026-55960 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-55960 status](https://www.csirts.com/badge/CVE-2026-55960)](https://www.csirts.com/cve/CVE-2026-55960)