CVE-2026-45388
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
In OCaml-TLS before version 2.1.0, the client implementation does insufficient checks of the certificate provided by the server, allowing impersonation with certificates not meant for server authentication.
Risk Assessment
The organization may be exposed to impersonation attacks, potentially leading to unauthorized access to data or services.
Recommendation
It is recommended to upgrade OCaml-TLS to version 2.1.0 or later to ensure proper certificate checks.
Original NVD description (English source)
In OCaml-TLS before 2.1.0, the client implementation does insufficient checks of the certificate provided by the server, which allows impersonation with certificates that are not meant for server authentication (because of KeyUsage and ExtendedKeyUsage).

