Description
Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Published: 2026-04-28
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw occurs in Apache Thrift’s TSSLTransportFactory where certificate hostname verification is performed incorrectly. An attacker who can present a TLS certificate that does not match the intended server hostname will be accepted by the client, allowing a man‑in‑the‑middle attack. This leads to potential confidentiality and integrity compromise of data transmitted over the Thrift connection.

Affected Systems

Apache Thrift versions prior to 0.23.0 are affected. The vulnerability applies to all builds of Thrift distributed by the Apache Software Foundation that use the TSSLTransportFactory.

Risk and Exploitability

The CVSS score is 7.4, but the EPSS score of <1% indicates a low probability of exploitation in the wild. It is inferred that the attack vector is a remote man‑in‑the‑middle via TLS interception, requiring only that the client accepts a certificate with a host mismatch. The vulnerability is not listed in the CISA KEV catalog, but a successful exploitation would still allow an attacker to read or tamper with Thrift traffic.

Generated by OpenCVE AI on May 1, 2026 at 05:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Thrift to version 0.23.0 or newer, which applies the correct hostname verification logic.
  • Verify that TSSLTransportFactory is configured to enable hostname verification and that the certificates presented by servers match the expected hostnames.
  • If upgrading cannot occur immediately, restrict access to Thrift services behind firewalls or VPNs, and monitor TLS traffic for certificates that do not match the host.

Generated by OpenCVE AI on May 1, 2026 at 05:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-295
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 28 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache thrift
CPEs cpe:2.3:a:apache:thrift:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache thrift

Tue, 28 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Description Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Title Apache Thrift: Java TSSLTransportFactory hostname verification
Weaknesses CWE-297
CWE-306
References

Subscriptions

Apache Thrift
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-28T14:14:45.957Z

Reserved: 2026-04-21T21:31:04.826Z

Link: CVE-2026-41603

cve-icon Vulnrichment

Updated: 2026-04-28T09:52:00.407Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T10:16:03.113

Modified: 2026-04-28T18:42:10.847

Link: CVE-2026-41603

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-28T09:19:40Z

Links: CVE-2026-41603 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T05:45:10Z

Weaknesses