Description
Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Published: 2026-05-05
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper validation of TLS certificates in the TSSLTransportFactory class allows a holder of a certificate with an incorrect hostname to impersonate a genuine Thrift server. This flaw stems from a failure to check the hostname during the SSL/TLS handshake, falling under CWE‑297. An attacker could therefore inject, eavesdrop or modify data between a client and the Thrift service, compromising confidentiality and integrity.

Affected Systems

The vulnerability affects Apache Thrift implementations prior to version 0.23.0. Any instance of the Thrift library that relies on TSSLTransportFactory for encrypted transport is at risk if the upgrade has not been performed.

Risk and Exploitability

External data indicate the EPSS score is not listed and the vulnerability is not present in the CISA KEV catalog. The CVSS score is not provided; however, the flaw permits a network attacker to intercept traffic if the client does not enforce hostname verification. The likely attack vector is over a network channel where a client connects to a Thrift server, making the flaw exploitable without local privilege.

Generated by OpenCVE AI on May 5, 2026 at 08:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Thrift to version 0.23.0 or later, which includes patch for hostname verification.
  • Reconfigure the Thrift client or server to enable hostname verification if upgrade is delayed; ensure the TLS handshake validates the server’s certificate against the expected hostname.
  • After applying the changes, restart Thrift services to activate the updated security settings.

Generated by OpenCVE AI on May 5, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 09:30:00 +0000

Type Values Removed Values Added
References

Tue, 05 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Title Apache Thrift: TSSLTransportFactory.java hostname verification
Weaknesses CWE-297
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-05T07:42:21.000Z

Reserved: 2026-05-04T14:22:44.030Z

Link: CVE-2026-43869

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T08:16:01.063

Modified: 2026-05-05T09:16:04.240

Link: CVE-2026-43869

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T08:30:20Z

Weaknesses