## PyCA Cryptography 46.0.6 Patches Critical X.509 Wildcard Certificate Validation Flaw (CVE-2026-34073) A critical security vulnerability in the widely-used PyCA cryptography library has been patched, exposing a flaw in X.509 certificate validation that could allow attackers to bypass critical name constraints. The bug, tracked as CVE-2026-34073, was present when a leaf certificate contained a wildcard DNS SAN (Subject Alternative Name). In this specific scenario, the system failed to apply name constraints to peer names during verification, potentially enabling spoofing or man-in-the-middle attacks in non-standard PKI topologies. The maintainers credit Oleh Konko (1seal) for the discovery and responsible disclosure. While the maintainers note that ordinary X.509 topologies, including those underpinning the Web PKI, are not affected, the patch is critical for any deployment using custom certificate chains with wildcards and name constraints. The vulnerability was fixed in version 46.0.6, released on March 25, 2026. This release follows a previous security update in version 46.0.5, which addressed a separate issue where malicious public keys could leak portions of private keys when using uncommon binary elliptic curves. The rapid succession of security patches underscores the persistent scrutiny on cryptographic libraries, which form the bedrock of secure communications and identity verification across countless applications. Organizations and developers relying on the PyCA cryptography library, particularly in Python-based security tooling, cloud infrastructure, and internal PKI systems, must prioritize upgrading to version 46.0.6 or later to mitigate this specific validation bypass risk. Failure to patch could leave bespoke certificate authority implementations vulnerable to impersonation attacks. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: CVE-2026-34073, X.509, Security Vulnerability, Python, Cryptography Library - **Credibility**: unverified - **Published**: 2026-04-14 13:22:56 - **ID**: 63818 - **URL**: https://whisperx.ai/en/intel/63818