CVE-2026-27137

Published: Mar 6, 2026Modified: Apr 21, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.

Affected (1)

Products: Golang: Go

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Golang Go	Version 1.26.0

Related CWEs

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

References (4)

https://go.dev/cl/752182

Source: security@golang.org

Mailing List

https://go.dev/issue/77952

Source: security@golang.org

Issue Tracking

https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk

Source: security@golang.org

Release Notes

https://pkg.go.dev/vuln/GO-2026-4599

Source: security@golang.org

Vendor Advisory

Timeline

No history available yet.