CVE-2026-33753

Name of the Vulnerable Software and Affected Versions rfc3161-client versions prior to 1.0.6

Description An authorization bypass issue exists in rfc3161-client's signature verification. An attacker can impersonate a trusted TimeStamping Authority (TSA) by exploiting a flaw in how the library extracts the leaf certificate from an unordered PKCS#7 bag of certificates. The attacker appends a spoofed certificate matching the target common name and Extended Key Usage (EKU) requirements, tricking the library into verifying authorization rules against the forged certificate while validating the cryptographic signature against a trusted TSA like FreeTSA. This bypasses TSA authorization pinning. The root cause is in the rfc3161 client.verify.Verifier. verify leaf certs() function, which incorrectly identifies the leaf certificate. An attacker can acquire a legitimate timestamp from a trusted TSA, generate a self-signed certificate with the target common name and ExtendedKeyUsage set to id-kp-timeStamping, and inject both the spoofed certificate and a dummy certificate into the PKCS#7 bag. This causes the library to select the spoofed certificate for verification, leading to a successful bypass of the intended TSA authorization. The API endpoint https://freetsa.org/tsr is used to obtain a legitimate timestamp. The vulnerable parameter is common name used in the VerifierBuilder.

Recommendations Update to rfc3161-client version 1.0.6 or later.