CVE-2016-2402 in OkHttp
Summary
by MITRE
OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/11/2026
The vulnerability identified as CVE-2016-2402 affects OkHttp library versions prior to 2.7.4 and 3.x versions before 3.1.2, representing a critical security flaw in certificate pinning implementation. This vulnerability resides in the SSL/TLS certificate validation mechanism that applications using OkHttp employ to establish secure communications with remote servers. Certificate pinning is a security technique designed to prevent man-in-the-middle attacks by ensuring that applications only accept specific certificates or public keys from particular certificate authorities, thereby mitigating risks associated with compromised or fraudulent certificates.
The technical flaw occurs when the OkHttp library processes certificate chains where an attacker can construct a valid certificate chain containing both a certificate from a trusted Certificate Authority that is not pinned and the actual pinned certificate. This allows attackers to bypass the intended certificate pinning protections by presenting a certificate chain that satisfies the validation requirements while still maintaining the ability to intercept and decrypt communications. The vulnerability exploits the library's handling of certificate chain validation, specifically its failure to properly enforce the pinned certificate requirements when multiple certificates are present in the chain.
The operational impact of this vulnerability is severe as it undermines the fundamental security promise of certificate pinning, which is to prevent attackers from using compromised or fraudulent certificates to impersonate legitimate services. Attackers can leverage this weakness to perform successful man-in-the-middle attacks against applications that rely on OkHttp for secure communications, potentially accessing sensitive data, credentials, and other confidential information transmitted over the network. The vulnerability affects mobile applications, web services, and any software that utilizes OkHttp for SSL/TLS connections, making it particularly dangerous in environments where sensitive data transmission is critical.
This vulnerability aligns with CWE-295, which addresses improper certificate validation, and relates to ATT&CK technique T1573.002 for "Encrypted Channel: Asymmetric Cryptography" where adversaries establish secure communication channels to maintain persistence and exfiltrate data. The flaw demonstrates a weakness in certificate validation logic that should have prevented the acceptance of certificate chains that do not strictly adhere to the pinned certificate requirements. Organizations should immediately update their OkHttp implementations to versions 2.7.4 or 3.1.2 and later to remediate this vulnerability. Additional mitigations include implementing proper certificate pinning validation mechanisms, monitoring for unusual certificate chain patterns, and conducting regular security assessments of SSL/TLS implementations to prevent similar issues in other libraries and frameworks.