Back to overview

CVE-2026-53712

HIGH
8.2
CVSS 4.0
Description
SCRAM (Salted Challenge Response Authentication Mechanism) is part of the family of Simple Authentication and Security Layer (SASL, RFC 4422) authentication mechanisms. Prior to 3.3, a flaw in com.ongres.scram:scram-client and com.ongres.scram:scram-common allows an attacker capable of a TLS man-in-the-middle attack to silently downgrade a connection from SCRAM-SHA-256-PLUS with channel binding to standard SCRAM-SHA-256 without channel binding when TlsServerEndpoint processes an X.509 certificate using a modern signature algorithm such as Ed25519; getChannelBindingData() can return an empty byte array after NoSuchAlgorithmException, and the ScramClient builder treats that as absent channel-binding data. This issue is fixed in version 3.3.

Metadata

CVE ID
CVE-2026-53712
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-10 16:43 UTC
Published
2026-07-17 18:19 UTC
Last updated
2026-07-17 19:09 UTC
Primary CWE
CWE-636
CWE-636: Not Failing Securely ('Failing Open')
Vendor / Product
ongres / scram
Sources
cve.org  ·  NVD

Severity & Metrics

8.2 HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
ongres scram < 3.3
Weakness (CWE)
CWESourceDescription
CWE-636 cna CWE-636: Not Failing Securely ('Failing Open')
CWE-757 cna CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.2 HIGH 4.0 cna CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N
References (2)
Back to overview