GHSA-8x3w-qj7j-gqhf: openmls has improper tag validation

February 4, 2026

Membership and confirmation tags may not be checked correctly due to a missing length check. Any tag that is shorter than the expected tag, but matches up to its length, as well as any empty tag is considered valid.

References

github.com/advisories/GHSA-8x3w-qj7j-gqhf
github.com/openmls/openmls
github.com/openmls/openmls/commit/91ec049ffc2fa3766110223aa2aabe0303837af8
github.com/openmls/openmls/releases/tag/openmls-v0.7.2
github.com/openmls/openmls/security/advisories/GHSA-8x3w-qj7j-gqhf

Code Behaviors & Features

Detect and mitigate GHSA-8x3w-qj7j-gqhf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →