CVE-2026-8367 PUBLISHED

aria2c Improper Certificate Validation

Assigner: tenable
Reserved: 11.05.2026 Published: 13.05.2026 Updated: 13.05.2026

aria2c accepts a server certificate with incorrect Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be able to reuse it for TLS server authentication.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS Score: 4.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	aria2_project
Product	aria2c
Versions	Default: unaffected affected from 0 to 1.37.0 (incl.)

References

https://www.tenable.com/security/research/tra-2026-38

Problem Types

CWE-295 Improper certificate validation CWE