CVE-2026-4587

LOW

HybridAuth SSL Curl.php certificate validation

Title source: cna

Description

A vulnerability was found in HybridAuth up to 3.12.2. This issue affects some unknown processing of the file src/HttpClient/Curl.php of the component SSL Handler. The manipulation of the argument curlOptions results in improper certificate validation. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The project was informed of the problem early through an issue report but has not responded yet.

References (5)

[Vdb Entry, Technical Description] https://vuldb.com/?id.352423

[Signature, Permissions Required] https://vuldb.com/?ctiid.352423

[Third Party Advisory] https://vuldb.com/?submit.775463

[Issue Tracking] https://github.com/hybridauth/hybridauth/issues/1444

[Product] https://github.com/hybridauth/hybridauth/

Scores

CVSS v3 3.7

EPSS 0.0003

EPSS Percentile 6.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-287 CWE-295

Status published

Products (4)

hybridauth/hybridauth 0Packagist

n/a/HybridAuth 3.12.0

n/a/HybridAuth 3.12.1

n/a/HybridAuth 3.12.2

Published Mar 23, 2026

Tracked Since Mar 23, 2026