CVE-2026-33753
CWE-295Published: April 8, 2026· Updated: Apr 8, 2026
Official Description
rfc3161-client is a Python library implementing the Time-Stamp Protocol (TSP) described in RFC 3161. Prior to 1.0.6, an Authorization Bypass vulnerability in rfc3161-client's signature verification allows any attacker to impersonate a trusted TimeStamping Authority (TSA). By exploiting a logic flaw in how the library extracts the leaf certificate from an unordered PKCS#7 bag of certificates, an attacker can append a spoofed certificate matching the target common_name and Extended Key Usage (EKU) requirements. This tricks the library into verifying these authorization rules against the forged certificate while validating the cryptographic signature against an actual trusted TSA (such as FreeTSA), thereby bypassing the intended TSA authorization pinning entirely. This vulnerability is fixed in 1.0.6.
Technical Analysis
CVE-2026-33753 requires local access, meaning attackers must already have a foothold on the target system.
The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.
A successful exploit results in full integrity compromise (data manipulation), with a CVSS base score of 6.2.
CVSS v3.1 Vector Breakdown
Affected Vendors & Products
Exploit & PoC Resources
All References (2)
Quick Facts
Related CVEs (CWE-295)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-33753 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts