Low severity3.7NVD Advisory· Published Mar 23, 2026· Updated Apr 24, 2026

CVE-2026-4587

Description

A vulnerability was found in HybridAuth up to 3.12.2. This issue affects some unknown processing of the file src/HttpClient/Curl.php of the component SSL Handler. The manipulation of the argument curlOptions results in improper certificate validation. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The project was informed of the problem early through an issue report but has not responded yet.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
hybridauth/hybridauthPackagist	<= 3.12.2	—

Affected products

Hybridauth/Hybridauthreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-r3hf-q3mf-7h6wghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-4587ghsaADVISORY
github.com/hybridauth/hybridauth/issues/1444nvdWEB
vuldb.comnvdWEB
vuldb.comnvdWEB
vuldb.comnvdWEB

News mentions

No linked articles in our index yet.

Severity

LowCVSS v3.1

3.7/ 10

CVSS v46.3

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: High
Privileges: None
User interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.03%

VYPR risk score

Composite of severity, exploitation, and reach.

0.24low

cvss	0.240
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-287
Improper Authentication
CWE-295
Improper Certificate Validation

CVE ID

CVE-2026-4587

Source code

Credits

J(
jstyles (VulDB User)
reporter
J
jontyms
analyst · ghsa