Skip to main content

Apache Thrift EUVDEUVD-2026-26021

| CVE-2026-41603 HIGH
Improper Validation of Certificate with Host Mismatch (CWE-297)
2026-04-28
7.4
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
SUSE
HIGH
qualitative
Red Hat
8.2 HIGH
qualitative

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

8
Patch released
Apr 28, 2026 - 18:42 nvd
Patch available
Re-analysis Queued
Apr 28, 2026 - 16:37 vuln.today
cvss_changed
Analysis Generated
Apr 28, 2026 - 15:23 vuln.today
CVSS changed
Apr 28, 2026 - 15:22 NVD
7.4 (HIGH)
Patch available
Apr 28, 2026 - 11:01 EUVD
EUVD ID Assigned
Apr 28, 2026 - 00:45 euvd
EUVD-2026-26021
Analysis Generated
Apr 28, 2026 - 00:45 vuln.today
CVE Published
Apr 28, 2026 - 00:45 nvd
HIGH 7.4

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Apache Thrift Java TSSLTransportFactory fails to verify server hostnames in TLS connections, enabling man-in-the-middle attacks against versions prior to 0.23.0. This CWE-297 (improper certificate validation) vulnerability allows network attackers with high complexity positioning to intercept and modify encrypted communications without authentication. EPSS exploitation probability is low (0.01%, 1st percentile), with no KEV listing or public exploit code identified at time of analysis. Vendor patch available in Thrift 0.23.0.

Technical ContextAI

Apache Thrift is a cross-language RPC framework supporting multiple serialization protocols and transport layers. The vulnerability exists in the Java language binding's TSSLTransportFactory class, which handles TLS-encrypted socket connections. CWE-297 (Improper Certificate Validation) indicates the implementation fails to verify that the server's certificate Common Name or Subject Alternative Name matches the requested hostname during TLS handshake. This is a classic JSSE (Java Secure Socket Extension) misconfiguration where SSL/TLS is enabled but hostname verification is disabled or improperly implemented, similar to issues historically affecting HttpsURLConnection when setHostnameVerifier was misconfigured. The affected CPE per EUVD is cpe:2.3:a:apache:thrift:*:*:*:*:*:*:*:* for versions 0 through 0.22.x.

RemediationAI

Upgrade Apache Thrift Java library to version 0.23.0 or later, which includes proper hostname verification in TSSLTransportFactory per vendor advisory at https://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql. Update Maven/Gradle dependency to org.apache.thrift:libthrift:0.23.0. If immediate upgrade is not feasible, implement compensating controls: configure external TLS termination at load balancer or reverse proxy layer with strict hostname verification enabled (e.g., nginx with ssl_verify_client and proper CA configuration), accepting trade-off of additional infrastructure complexity and potential performance overhead. Restrict Thrift service endpoints to trusted network segments only using firewall rules limiting source IPs to known client ranges, which reduces MITM attack surface but does not eliminate risk from compromised trusted hosts. Deploy mutual TLS (mTLS) with client certificates to add authentication layer independent of hostname verification, requiring certificate distribution infrastructure. Monitor TLS connection logs for certificate subject mismatches if logging capabilities exist. Note that network segmentation and mTLS add operational complexity but provide defense-in-depth when patching is delayed.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 12 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26021 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy