CVE-2025-15346 CRITICAL

CVE-2025-15346: wolfSSL Python library `CERT_REQUIRED` mode fails to enforce client certificate requirement

Vendor Wolfssl

Product wolfSSL-py

Weakness CWE-306 · Missing auth

Published January 7, 2026

Last update January 8, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/AU:Y

What the vulnerability does

Description

A vulnerability in the handling of verify_mode = CERT_REQUIRED in the wolfssl Python package (wolfssl-py) causes client certificate requirements to not be fully enforced. Because the WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT flag was not included, the behavior effectively matched CERT_OPTIONAL: a peer certificate was verified if presented, but connections were incorrectly authenticated when no client certificate was provided. This results in improper authentication, allowing attackers to bypass mutual TLS (mTLS) client authentication by omitting a client certificate during the TLS handshake. The issue affects versions up to and including 5.8.2.

Key dates

Disclosure timeline

January 7, 2026 CVE published

January 8, 2026 Record updated