CVE-2026-43870
Path Traversal in Apache Thrift
Publication date: 2026-05-05
Last updated on: 2026-05-06
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | thrift | to 0.23.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
| CWE-113 | The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-43870 affects Apache Thrift versions before 0.23.0 and involves multiple security issues in the Node.js web_server.js implementation.
- Origin validation error
- Path traversal flaw allowing access to restricted directories
- HTTP request/response splitting due to improper neutralization of CRLF sequences in HTTP headers
- Uncontrolled resource consumption vulnerability
The recommended fix is to upgrade Apache Thrift to version 0.23.0 or later.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to restricted directories, manipulation of HTTP headers causing request/response splitting, and excessive resource consumption.
Such impacts may result in security breaches, data exposure, denial of service, or other malicious activities against systems using vulnerable Apache Thrift versions.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Apache Thrift to version 0.23.0 or later.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the CVE-2026-43870 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.