Skip to main content

Netty CVE-2026-50010

| EUVD-2026-36465 HIGH
Improper Verification of Cryptographic Signature (CWE-347)
2026-06-12 GitHub_M GHSA-c653-97m9-rcg9
Jwt Attack Information Disclosure Netty Red Hat Suse
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.4 HIGH

Network vector; AC:H because exploitation requires an active MITM position and a vulnerable trustManager configuration; PR:N/UI:N on the client side; C:H and I:H because hostname-bypass MITM enables both eavesdropping and tampering.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Jun 12, 2026 - 17:01 EUVD
Source Code Evidence Fetched
Jun 12, 2026 - 16:19 vuln.today
Analysis Generated
Jun 12, 2026 - 16:19 vuln.today
CVE Published
Jun 12, 2026 - 14:50 cve.org
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 686 maven packages depend on io.netty:netty-handler (317 direct, 369 indirect)

Ecosystem-wide dependent count for version 4.2.0.Final.

DescriptionCVE.org

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm="HTTPS" by default, a client built with SslContextBuilder.forClient().trustManager(somePlainX509TrustManager) performs no hostname verification at all. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

AnalysisAI

TLS hostname verification is silently disabled in Netty's netty-handler module for any client built with SslContextBuilder.forClient().trustManager(somePlainX509TrustManager), allowing network attackers in a man-in-the-middle position to present a valid certificate for any host and intercept supposedly encrypted traffic. Affects all Netty versions prior to 4.1.135.Final and 4.2.15.Final; no public exploit identified at time of analysis and EPSS is very low (0.04%), but the defect bypasses a core TLS protection that Netty 4.2 explicitly advertises as enabled by default.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Netty-based TLS client using plain X509TrustManager
Delivery
Gain man-in-the-middle position on network path
Exploit
Present certificate for unrelated hostname
Execution
Netty skips endpoint identification and accepts handshake
Persist
Proxy and decrypt session traffic
Impact
Harvest credentials or tamper with payloads
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The application must build its TLS client with Netty's SslContextBuilder.forClient().trustManager(...) and pass a plain javax.net.ssl.X509TrustManager (not an X509ExtendedTrustManager), which causes Netty to wrap it in the buggy X509TrustManagerWrapper; clients using the default JDK trust manager or supplying an X509ExtendedTrustManager are unaffected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed: the CVSS:3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N and a 7.5 base score align with a remote-network confidentiality break, but exploitation realistically requires an active man-in-the-middle position, which the CVSS vector flattens into AC:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on a coffee-shop Wi-Fi, a compromised upstream router, or a hostile transit network intercepts TLS traffic from a Netty-based client (e.g. a mobile backend agent, a microservice's outbound HTTPS call, or a Kafka/Redis client) and presents a certificate that chains to a trusted CA but bears an unrelated hostname. …
Remediation Vendor-released patch: upgrade io.netty:netty-handler (and the rest of the Netty BOM) to 4.1.135.Final or 4.2.15.Final per the release notes at https://github.com/netty/netty/releases/tag/netty-4.1.135.Final and https://github.com/netty/netty/releases/tag/netty-4.2.15.Final and the advisory at https://github.com/netty/netty/security/advisories/GHSA-c653-97m9-rcg9. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all applications and services using Netty versions prior to 4.1.135.Final (4.1.x branch) or 4.2.15.Final (4.2.x branch) and flag those using SslContextBuilder.forClient(). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48558 CRITICAL POC
9.5 Jun 12

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke
CVE-2026-42743 MEDIUM
6.5 Jun 15

Unauthenticated broken authentication in the Masteriyo LMS WordPress plugin (versions ≤2.1.8) stems from improper JWT si
CVE-2026-48747 MEDIUM
Jun 15

Algorithm-confusion in Symfony's Mailomat webhook parser allows an attacker to downgrade the HMAC primitive used for sig

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

CVE-2026-50010 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy