What is CVE-2026-35563?

CVE-2026-35563 is a high-severity vulnerability in Apache Directory_ldap_api, classified under Improper Validation of Certificate with Host Mismatch. CVSS score: 8.5/10. Published 2026-06-01.

How severe is CVE-2026-35563?

High severity. CVSS v3 base score is 8.5 out of 10.

Vulnerability in Apache Directory_ldap_api

CVE-2026-35563

It was identified that the LDAP client implementation in version 2.1.7 does not verify if the server certificate matches the intended LDAP hostname. While the underlying code validates the certificate chain against a trusted authority, t…

EPSS: 0.000 (9.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.5 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H.

Affected products

Apache Directory_ldap_api
Apache Software Foundation Directory Ldap Api — versions 2.0.0

Weakness classification (CWE)

CWE-297 — Improper Validation of Certificate with Host Mismatch

References

security@apache.org (vendor-advisory, Mailing List, Vendor Advisory)
af854a3a-2127-422b-91ae-364da2661108 (Mailing List, Third Party Advisory)

Frequently asked questions

What is CVE-2026-35563?: CVE-2026-35563 is a high-severity vulnerability in Apache Directory_ldap_api, classified under Improper Validation of Certificate with Host Mismatch. CVSS score: 8.5/10. Published 2026-06-01.
How severe is CVE-2026-35563?: High severity. CVSS v3 base score is 8.5 out of 10.