Description
Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Published: 2026-04-28
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw occurs in Apache Thrift’s TSSLTransportFactory, where certificate hostname verification is performed incorrectly. An attacker who can present a certificate that does not match the intended server hostname will be accepted by the client, permitting a man‑in‑the‑middle attack. This enables an adversary to intercept, read, or modify data transmitted over the Thrift connection and potentially inject malicious payloads if the data flows are unencrypted.

Affected Systems

Apache Thrift, part of the Apache Software Foundation, is affected in all releases prior to version 0.23.0.

Risk and Exploitability

The CVSS score is 7.4 and the EPSS score is <1%, but because the exploitation requires only SSL/TLS interception, the likelihood of a successful MITM attack is significant in environments where Thrift services are publicly reachable. The vulnerability is not currently listed in the CISA KEV catalog, yet the absence of EKV does not diminish the risk posed by casual or sophisticated adversaries attempting to spy on or tamper with Thrift traffic.

Generated by OpenCVE AI on April 28, 2026 at 19:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Thrift to version 0.23.0 or later, which contains the certificate hostname verification fix.
  • Verify that the TSSLTransportFactory configuration explicitly enables hostname verification and that certificates presented by servers match the expected hostnames.
  • If an upgrade cannot be performed immediately, isolate exposed Thrift services behind a firewall or VPN and monitor TLS traffic for abnormal certificate usage.

Generated by OpenCVE AI on April 28, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache thrift
CPEs cpe:2.3:a:apache:thrift:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache thrift

Tue, 28 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Description Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Title Apache Thrift: Java TSSLTransportFactory hostname verification
Weaknesses CWE-297
CWE-306
References

Subscriptions

Apache Thrift
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-28T14:14:45.957Z

Reserved: 2026-04-21T21:31:04.826Z

Link: CVE-2026-41603

cve-icon Vulnrichment

Updated: 2026-04-28T09:52:00.407Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T10:16:03.113

Modified: 2026-04-28T18:42:10.847

Link: CVE-2026-41603

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T10:10:57Z

Weaknesses