CVE-2026-27448
Unhandled Exception Bypass in pyOpenSSL TLS Servername Callback
Publication date: 2026-03-18
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pyopenssl | pyopenssl | From 0.14 (inc) to 26.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-636 | When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27448 is a vulnerability in the pyOpenSSL library affecting versions from 0.14.0 up to but not including 26.0.0. The issue occurs when a user provides a callback function to set_tlsext_servername_callback that raises an unhandled exception. Instead of rejecting the connection, the library would accept it, potentially allowing an attacker to bypass any security-sensitive logic implemented in that callback.
This behavior was fixed starting in version 26.0.0, where unhandled exceptions in the callback now cause the connection to be rejected, preventing the bypass.
How can this vulnerability impact me? :
If you rely on the set_tlsext_servername_callback for security-sensitive operations, this vulnerability could allow an attacker to bypass those security checks by triggering an unhandled exception in the callback. This means unauthorized connections might be accepted, potentially exposing your system to unauthorized access or other security risks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a user-provided callback to set_tlsext_servername_callback raising an unhandled exception but the connection still being accepted. Detection would involve monitoring for unexpected acceptance of TLS connections where the servername callback might fail.
Since the issue is related to the behavior of the pyOpenSSL library during TLS handshakes, detection could include reviewing logs for TLS handshake anomalies or errors related to servername callbacks.
No specific commands or network detection signatures are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade pyOpenSSL to version 26.0.0 or later, where the vulnerability is fixed by rejecting connections if the user-provided callback raises an unhandled exception.
Ensure that any user-provided callbacks registered via set_tlsext_servername_callback properly handle exceptions to avoid unexpected behavior.
Review your TLS server configuration and update dependencies to the fixed versions as soon as possible.