CVE-2026-33753
Published: 08 April 2026
Summary
CVE-2026-33753 is a medium-severity Improper Certificate Validation (CWE-295) vulnerability in Trailofbits Rfc3161-Client. Its CVSS base score is 6.2 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Subvert Trust Controls (T1553); ranked at the 0.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation requires patching the rfc3161-client library to version 1.0.6, directly eliminating the improper certificate validation logic flaw.
Public Key Infrastructure Certificates control mandates proper validation of certificates including leaf selection and EKU checks, preventing spoofed certificate exploitation in PKCS#7 bags during TSP verification.
Software integrity verification ensures cryptographic signatures and associated certificates are validated correctly, mitigating the library's faulty authorization pinning against forged certificates.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables bypassing certificate validation and TSA authorization pinning via spoofed certificates in PKCS#7 responses, directly facilitating subversion of trust controls.
NVD Description
rfc3161-client is a Python library implementing the Time-Stamp Protocol (TSP) described in RFC 3161. Prior to 1.0.6, an Authorization Bypass vulnerability in rfc3161-client's signature verification allows any attacker to impersonate a trusted TimeStamping Authority (TSA). By exploiting a logic flaw…
more
in how the library extracts the leaf certificate from an unordered PKCS#7 bag of certificates, an attacker can append a spoofed certificate matching the target common_name and Extended Key Usage (EKU) requirements. This tricks the library into verifying these authorization rules against the forged certificate while validating the cryptographic signature against an actual trusted TSA (such as FreeTSA), thereby bypassing the intended TSA authorization pinning entirely. This vulnerability is fixed in 1.0.6.
Deeper analysisAI
CVE-2026-33753 is an authorization bypass vulnerability (CWE-295: Improper Certificate Validation) in the rfc3161-client Python library, which implements the Time-Stamp Protocol (TSP) described in RFC 3161. The flaw affects versions prior to 1.0.6 and stems from faulty logic in extracting the leaf certificate from an unordered PKCS#7 bag of certificates during signature verification. This allows attackers to manipulate certificate selection, leading to improper validation of TSA authorization.
A local attacker with low-complexity access (no privileges or user interaction required) can exploit the vulnerability by crafting a TSP response signed by a trusted TSA, such as FreeTSA, and appending a spoofed certificate to the PKCS#7 bag that matches the required common_name and Extended Key Usage (EKU). The library then verifies authorization rules against the forged certificate while cryptographically validating the signature against the legitimate TSA chain, fully bypassing TSA authorization pinning. The CVSS v3.1 base score is 6.2 (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), reflecting high integrity impact within unchanged scope.
The issue is addressed in rfc3161-client version 1.0.6. Advisory guidance from the GitHub security advisory (GHSA-3xxc-pwj6-jgrj) recommends upgrading to the patched version to mitigate the vulnerability.
Details
- CWE(s)