CVE Vulnerabilities

CVE-2026-33810

Improper Certificate Validation

Published: Apr 08, 2026 | Modified: Jul 02, 2026
CVSS 3.x
8.2
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
8.8 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

NameVendorStart VersionEnd Version
GoGolang1.26.0 (including)1.26.2 (excluding)
Cryostat 4 on RHEL 9RedHatcryostat/cryostat-storage-rhel9:4.1.1-7*
HawtIO HawtIO 4.4.0RedHathawtio-operator-container*
Red Hat Enterprise Linux 10RedHatopentelemetry-collector-0:0.144.0-2.el10_2*
Red Hat Enterprise Linux 10RedHatgolang-github-openprinting-ipp-usb-0:0.9.27-7.el10_2*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatopentelemetry-collector-0:0.144.0-2.el10_0*
Red Hat Enterprise Linux 9RedHatopentelemetry-collector-0:0.144.0-2.el9_8*
Red Hat Enterprise Linux 9.4 Extended Update SupportRedHatopentelemetry-collector-0:0.144.0-2.el9_4*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatopentelemetry-collector-0:0.144.0-2.el9_6*
Red Hat OpenStack Platform 17.1 for RHEL 9RedHatetcd-0:3.4.26-9.5.el9ost*
Red Hat Satellite 6.19 for RHEL 9RedHatyggdrasil-worker-forwarder-0:0.0.3-5.el9sat*
Logging Subsystem for Red Hat OpenShift 6.0RedHatopenshift-logging/eventrouter-rhel9:1781192891*
Logging Subsystem for Red Hat OpenShift 6.4RedHatopenshift-logging/eventrouter-rhel9:1780051640*
Multicluster Global Hub 1.4.5RedHatmulticluster-globalhub/multicluster-globalhub-agent-rhel9:1779838819*
Multicluster Global Hub 1.5.4RedHatmulticluster-globalhub/multicluster-globalhub-agent-rhel9:1779828691*
Multicluster Global Hub 1.6.2RedHatmulticluster-globalhub/multicluster-globalhub-agent-rhel9:1780320809*
OpenShift API for Data Protection 1.4RedHatoadp/oadp-velero-rhel9:1779809598*
OpenShift API for Data Protection 1.5RedHatoadp/oadp-velero-rhel9:1779808027*
OpenShift Compliance Operator 1RedHatcompliance/openshift-compliance-operator-bundle:1781605005*
Red Hat Ansible Automation Platform 2.6RedHatansible-automation-platform-26/receptor-rhel9:1777391542*
Red Hat Hardened ImagesRedHatgolang1-26-main-1.26.2-1.hum1*
Red Hat Lightspeed (formerly Insights) for Runtimes 1RedHatrh-lightspeed-runtimes/runtimes-inventory-rhel9-operator:1.0.3-1779996197*
Red Hat OpenShift Builds 1.6.5RedHatopenshift-builds/openshift-builds-waiters-rhel9:1776847666*
Red Hat OpenShift Builds 1.6.5RedHatopenshift-builds/openshift-builds-waiters-rhel9:1776847666*
Red Hat OpenShift Builds 1.7.3RedHatopenshift-builds/openshift-builds-waiters-rhel9:1776846936*
Red Hat OpenShift Builds 1.7.3RedHatopenshift-builds/openshift-builds-waiters-rhel9:1776846936*
Red Hat OpenShift Dev Spaces 3.28RedHatdevspaces/udi-rhel9:1779829736*
Red Hat OpenShift distributed tracing 3.9.3RedHatrhosdt/tempo-rhel9:1776435680*
Red Hat Trusted Artifact Signer 1.3RedHatrhtas/client-server-rhel9:1780399582*
Red Hat Web Terminal 1.11RedHatweb-terminal/web-terminal-exec-rhel9:1780423339*
Red Hat Web Terminal 1.12RedHatweb-terminal/web-terminal-exec-rhel9:1780425077*
Red Hat Web Terminal 1.13RedHatweb-terminal/web-terminal-exec-rhel9:1780425080*
Red Hat Web Terminal 1.14RedHatweb-terminal/web-terminal-exec-rhel9:1780424928*
Red Hat Web Terminal 1.15RedHatweb-terminal/web-terminal-exec-rhel9:1780424829*
Golang-1.10Ubuntuesm-infra/xenial*
Golang-1.13Ubuntuesm-apps/xenial*
Golang-1.18Ubuntuesm-apps/xenial*
Golang-1.6Ubuntuesm-infra/xenial*

Potential Mitigations

References