CVE-2026-35563

Vulnerability

The Apache Directory LDAP API client implementation, in versions 2.0.0 through 2.1.7, fails to verify that the TLS server certificate matches the intended LDAP hostname [1]. The code checks the certificate chain against a trusted authority, but does not perform hostname validation, allowing a certificate issued for any other valid domain to be accepted for the LDAP connection [1].

Exploitation

An attacker with man-in-the-middle (MITM) access to the network can present an arbitrary TLS certificate that chains to a trust anchor in the client's trust store [1]. No authentication or user interaction beyond establishing the LDAP connection is required. The attacker simply intercepts the LDAP TLS handshake and supplies a legitimate certificate for an unrelated host, which will be accepted due to the missing hostname check.

Impact

Successful exploitation allows the attacker to impersonate the intended LDAP server. All data transmitted over the connection, including authentication credentials and directory content, can be intercepted, modified, or completely compromised [1]. The client’s trust in the server is fully undermined, leading to disclosure of sensitive information and potential unauthorized actions.

Mitigation

The hostname verification has been enforced in a new version of the LDAP API [1]. Users should upgrade to the fixed release as soon as it is available. The advisory does not specify the exact fixed version number, but it is recommended to update beyond 2.1.7. No workarounds are documented in the available reference.