CVE-2026-41603
Improper Certificate Validation in Apache Thrift Before
Publication date: 2026-04-28
Last updated on: 2026-04-28
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | thrift | to 0.23.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-297 | The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41603 is a critical vulnerability in Apache Thrift versions prior to 0.23.0, specifically in the Java TSSLTransportFactory component.
The issue involves improper validation of SSL/TLS certificates when there is a hostname mismatch, which means the software does not correctly verify that the certificate presented matches the expected hostname.
This flaw allows an attacker to bypass hostname verification during the SSL/TLS handshake.
How can this vulnerability impact me? :
This vulnerability can lead to serious security risks such as man-in-the-middle (MITM) attacks.
An attacker exploiting this flaw can intercept or alter communications by presenting a certificate with a mismatched hostname that the system incorrectly accepts.
This compromises the confidentiality and integrity of data transmitted over SSL/TLS connections using affected Apache Thrift versions.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Apache Thrift to version 0.23.0 or later, as this version contains the fix for the improper validation of SSL/TLS certificates with hostname mismatches.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves improper validation of SSL/TLS certificates with hostname mismatches, which can lead to man-in-the-middle attacks. Such security weaknesses may impact the confidentiality and integrity of data transmissions.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that allow interception or tampering of sensitive data could potentially lead to non-compliance with these regulations, which require protection of personal and health information.
Users are advised to upgrade to Apache Thrift version 0.23.0 to mitigate this risk.