CVE-2026-27448
Received Received - Intake
Unhandled Exception Bypass in pyOpenSSL TLS Servername Callback

Publication date: 2026-03-18

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 0.14.0 and prior to version 26.0.0, if a user provided callback to `set_tlsext_servername_callback` raised an unhandled exception, this would result in a connection being accepted. If a user was relying on this callback for any security-sensitive behavior, this could allow bypassing it. Starting in version 26.0.0, unhandled exceptions now result in rejecting the connection.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27448
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pyopenssl pyopenssl From 0.14 (inc) to 26.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-636 When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27448 is a vulnerability in the pyOpenSSL library affecting versions from 0.14.0 up to but not including 26.0.0. The issue occurs when a user provides a callback function to set_tlsext_servername_callback that raises an unhandled exception. Instead of rejecting the connection, the library would accept it, potentially allowing an attacker to bypass any security-sensitive logic implemented in that callback.

This behavior was fixed starting in version 26.0.0, where unhandled exceptions in the callback now cause the connection to be rejected, preventing the bypass.

Impact Analysis

If you rely on the set_tlsext_servername_callback for security-sensitive operations, this vulnerability could allow an attacker to bypass those security checks by triggering an unhandled exception in the callback. This means unauthorized connections might be accepted, potentially exposing your system to unauthorized access or other security risks.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves a user-provided callback to set_tlsext_servername_callback raising an unhandled exception but the connection still being accepted. Detection would involve monitoring for unexpected acceptance of TLS connections where the servername callback might fail.

Since the issue is related to the behavior of the pyOpenSSL library during TLS handshakes, detection could include reviewing logs for TLS handshake anomalies or errors related to servername callbacks.

No specific commands or network detection signatures are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade pyOpenSSL to version 26.0.0 or later, where the vulnerability is fixed by rejecting connections if the user-provided callback raises an unhandled exception.

Ensure that any user-provided callbacks registered via set_tlsext_servername_callback properly handle exceptions to avoid unexpected behavior.

Review your TLS server configuration and update dependencies to the fixed versions as soon as possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27448. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart