Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Wildcard Certificates Can Bypass Validation in Some Cases
GO-2026-4866
CVE-2026-33810
Summary
A bug in certificate validation can allow a malicious certificate to be accepted as trusted, even if it shouldn't be. This happens when a certificate has a wildcard domain name that doesn't match the case of the excluded DNS constraint. To fix this, update your certificate validation process to handle wildcard domains correctly.
What to do
- Update stdlib to version 1.26.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | stdlib | > 1.26.0-0 , <= 1.26.2 | 1.26.2 |
Original title
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only af...
Original description
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
Published: 8 Apr 2026 · Updated: 9 Apr 2026 · First seen: 8 Apr 2026