CVE-2026-53712

HIGHPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

OnGres SCRAM silent channel-binding authentication downgrade via unsupported certificate algorithms

Summary

A flaw in com.ongres.scram:scram-client allows an attacker capable of performing a TLS man-in-the-middle (MITM) attack to silently downgrade a connection from SCRAM-SHA-256-PLUS (with channel binding) to standard SCRAM-SHA-256 (without channel binding), bypassing strict client-side enforcement policies.

Component Breakdown

This occurs due to a two-part failure in TlsServerEndpoint when a server presents an X.509 certificate using a modern signature algorithm that lacks traditional WITH naming structures (such as Ed25519 or post-quantum algorithms):

  • The internal hash derivation method fails to parse the algorithm name, swallows the resulting NoSuchAlgorithmException, and silently returns an empty byte array via the deprecated getChannelBindingData() API.
  • The client builder mistakenly interprets this empty byte array as an environmental absence of channel binding data rather than a cryptographic failure, falling back to non-channel-bound authentication.

Impact & Scope

This issue only impacts deployments where the downstream application layer explicitly enforces strict channel binding enforcement (e.g., channelBinding=require in pgJDBC).

Drivers operating under a "prefer" or "allow" policy (used by default) are structurally insulated from an unhandled exception since a fallback to standard SCRAM is within their expected configuration.

Remediation

Update your project configuration to pull in version 3.3 or later of the SCRAM library, which introduces strict exception propagation and explicit policy controls.

If you are interacting with the ScramClient builder API directly (e.g., writing a custom driver or database extension):

  • Migrate Deprecated APIs: Stop using TlsServerEndpoint.getChannelBindingData(). Transition immediately to TlsServerEndpoint.getChannelBindingHash(), which correctly propagates NoSuchAlgorithmException up the stack.
  • Adopt Explicit Policies: Leverage the newly introduced ChannelBindingPolicy` API during client construction. Do not rely on implicit parameter presence to dictate your security boundaries.

ScramClient client = ScramClient.builder()
    .advertisedMechanisms(serverMechanisms)
    .username(user)
    .password(pass)
    // Explicitly enforce strict boundaries if needed.
    .channelBindingPolicy(ChannelBindingPolicy.REQUIRE) 
    .channelBinding(TlsServerEndpoint.TLS_SERVER_END_POINT, certHash)
    .build();

CVSS v3
EG Score
0.0(none)
EPSS
KEV
Not listed

Published

July 1, 2026

Last Modified

July 1, 2026

Vendor Advisories for CVE-2026-53712(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 1× in last 7d / 1× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-01 22:02 UTCEG score recompute

Frequently asked(3)

What is CVE-2026-53712?
CVE-2026-53712 is a high vulnerability published on July 1, 2026. OnGres SCRAM silent channel-binding authentication downgrade via unsupported certificate algorithms Summary A flaw in com.ongres.scram:scram-client allows an attacker capable of performing a TLS man-in-the-middle (MITM) attack to silently downgrade a connection from SCRAM-SHA-256-PLUS (with channel…
When was CVE-2026-53712 disclosed?
CVE-2026-53712 was first published in the National Vulnerability Database on July 1, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
How do I remediate CVE-2026-53712?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-53712, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-53712

Explore →

Is Your Infrastructure Affected by CVE-2026-53712?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.