Hi,

The following vulnerability was published for apache-directory-api.

CVE-2026-35563[0]:
| It was identified that the LDAP client implementation in version
| 2.1.7 does not verify if the server certificate matches the intended
| LDAP  hostname. While the underlying code validates the certificate
| chain  against a trusted authority, the absence of endpoint
| identification  allows a valid certificate issued for an entirely
| unrelated host to be  improperly accepted. This oversight leaves the
| connection highly  vulnerable to server impersonation and complete
| connection compromise.   The  root cause of this vulnerability lies
| in the incomplete TLS server  identity verification within the LDAP
| client implementation.     The attacker requires MITM capability on
| the network to exploit this vulnerability. This attacker must be
| able to present a certificate trusted by the client's configured
| trust store.     The hostname verification has been enforced in the
| new version of the LDAP API


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-35563
https://www.cve.org/CVERecord?id=CVE-2026-35563
[1] https://www.openwall.com/lists/oss-security/2026/06/01/2

Regards,
Salvatore