CVE-2026-34873
Published: 01 April 2026
Summary
CVE-2026-34873 is a critical-severity Improper Authentication (CWE-287) vulnerability in Arm Mbed Tls. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and correction of flaws like CVE-2026-34873 in Mbed TLS to prevent client impersonation during TLS 1.3 session resumption.
Mandates protection of communications session authenticity, directly countering the improper authentication vulnerability enabling client impersonation in TLS 1.3 resumption.
Requires implementation of cryptographic mechanisms to protect transmission confidentiality and integrity, addressing flaws in TLS libraries like Mbed TLS through proper selection and updates.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote exploitation of improper authentication in a TLS library (Mbed TLS) to impersonate clients during TLS 1.3 session resumption, directly facilitating unauthorized access via network exploitation of public-facing applications.
NVD Description
An issue was discovered in Mbed TLS 3.5.0 through 4.0.0. Client impersonation can occur while resuming a TLS 1.3 session.
Deeper analysisAI
CVE-2026-34873 is a vulnerability discovered in Mbed TLS versions 3.5.0 through 4.0.0 that enables client impersonation during the resumption of a TLS 1.3 session. Published on 2026-04-01, it is classified under CWE-287 (Improper Authentication) and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to its potential for high confidentiality and integrity impacts.
Remote attackers can exploit this issue without privileges or user interaction, as it requires only network access and low attack complexity. By impersonating a legitimate client during TLS 1.3 session resumption, adversaries can achieve unauthorized access to sensitive data or manipulate communications, compromising both confidentiality and integrity while leaving availability unaffected.
Mitigation details are provided in the official Mbed TLS security advisories, accessible at https://mbed-tls.readthedocs.io/en/latest/security-advisories/ and the specific advisory at https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-client-impersonation-while-resuming-tls13-session/. Security practitioners should consult these for patching instructions and workarounds applicable to affected versions.
Details
- CWE(s)