CVE-2026-4587

A vulnerability was found in HybridAuth up to 3.12.2. This issue affects some unknown processing of the file src/HttpClient/Curl.php of the component SSL Handler. The manipulation of the argument curlOptions results in improper certificate validation. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The project was informed of the problem early through an issue report but has not responded yet.

CVSS v3 3.7 LOW
CVSS v2.0 2.6 LOW

3.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

2.6^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:H/Au:N/C:N/I:P/A:N

Exploitability : 4.9 / Impact : 2.9

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/hybridauth/hybridauth/
https://github.com/hybridauth/hybridauth/issues/1444
https://vuldb.com/?ctiid.352423
https://vuldb.com/?id.352423
https://vuldb.com/?submit.775463

Configurations

No configuration.

History

24 Apr 2026, 16:32

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad fue encontrada en HybridAuth hasta la versión 3.12.2. Este problema afecta a algún procesamiento desconocido del archivo src/HttpClient/Curl.php del componente Gestor SSL. La manipulación del argumento curlOptions resulta en una validación de certificado incorrecta. El ataque puede ser lanzado de forma remota. Este ataque se caracteriza por una alta complejidad. La explotabilidad se evalúa como difícil. El proyecto fue informado del problema tempranamente a través de un informe de problema, pero aún no ha respondido.

23 Mar 2026, 13:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-23 13:16

Updated : 2026-04-24 16:32

NVD link : CVE-2026-4587

Mitre link : CVE-2026-4587

CVE.ORG link : CVE-2026-4587

JSON object : View

Products Affected

No product.

CWE

CWE-287

Improper Authentication

CWE-295

Improper Certificate Validation

{"id": "CVE-2026-4587", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"version": "2.0", "baseScore": 2.6, "accessVector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "HIGH", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 4.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "cna@vuldb.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.2}], "cvssMetricV40": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-23T13:16:31.320", "references": [{"url": "https://github.com/hybridauth/hybridauth/", "source": "cna@vuldb.com"}, {"url": "https://github.com/hybridauth/hybridauth/issues/1444", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.352423", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.352423", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.775463", "source": "cna@vuldb.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "cna@vuldb.com", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in HybridAuth up to 3.12.2. This issue affects some unknown processing of the file src/HttpClient/Curl.php of the component SSL Handler. The manipulation of the argument curlOptions results in improper certificate validation. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The project was informed of the problem early through an issue report but has not responded yet."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en HybridAuth hasta la versi\u00f3n 3.12.2. Este problema afecta a alg\u00fan procesamiento desconocido del archivo src/HttpClient/Curl.php del componente Gestor SSL. La manipulaci\u00f3n del argumento curlOptions resulta en una validaci\u00f3n de certificado incorrecta. El ataque puede ser lanzado de forma remota. Este ataque se caracteriza por una alta complejidad. La explotabilidad se eval\u00faa como dif\u00edcil. El proyecto fue informado del problema tempranamente a trav\u00e9s de un informe de problema, pero a\u00fan no ha respondido."}], "lastModified": "2026-04-24T16:32:53.997", "sourceIdentifier": "cna@vuldb.com"}