Description
Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Published: 2026-05-05
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper validation of TLS certificates in the TSSLTransportFactory class allows a holder of a certificate with an incorrect hostname to impersonate a genuine Thrift server. This flaw stems from a failure to check the hostname during the SSL/TLS handshake, falling under CWE‑297. An attacker could therefore inject, eavesdrop or modify data between a client and the Thrift service, compromising confidentiality and integrity.

Affected Systems

The vulnerability affects Apache Thrift implementations prior to version 0.23.0. Any instance of the Thrift library that relies on TSSLTransportFactory for encrypted transport is at risk if the upgrade has not been performed.

Risk and Exploitability

External data indicate the EPSS score is 0.00004, and the vulnerability is not present in the CISA KEV catalog. The CVSS score is 7.3; however, the flaw permits a network attacker to intercept traffic if the client does not enforce hostname verification. The likely attack vector is over a network channel where a client connects to a Thrift server, making the flaw exploitable without local privilege.

Generated by OpenCVE AI on May 6, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Thrift to version 0.23.0 or later, which includes patch for hostname verification.
  • Reconfigure the Thrift client or server to enable hostname verification if upgrade is delayed; ensure the TLS handshake validates the server’s certificate against the expected hostname.
  • After applying the changes, restart Thrift services to activate the updated security settings.

Generated by OpenCVE AI on May 6, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7pwc-h2j2-rjgj Apache Thrift has an Improper Validation of Certificate with Host Mismatch Vulnerability
History

Wed, 06 May 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:thrift:*:*:*:*:*:*:*:*

Wed, 06 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache thrift
Vendors & Products Apache
Apache thrift

Tue, 05 May 2026 09:30:00 +0000

Type Values Removed Values Added
References

Tue, 05 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Title Apache Thrift: TSSLTransportFactory.java hostname verification
Weaknesses CWE-297
References

Subscriptions

Apache Thrift
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-06T13:01:42.213Z

Reserved: 2026-05-04T14:22:44.030Z

Link: CVE-2026-43869

cve-icon Vulnrichment

Updated: 2026-05-05T07:42:21.000Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-05T08:16:01.063

Modified: 2026-05-06T18:05:26.533

Link: CVE-2026-43869

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T17:00:05Z

Weaknesses