CVE-2026-43869

HIGH

Apache Thrift: TSSLTransportFactory.java hostname verification

Title source: cna

Description

Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.

References (2)

Core 2

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2026/05/05/3

Vendor Advisory vendor-advisory

https://lists.apache.org/thread/3hsgl1b69wzq3ry39scqbv2dhyl3j52r

Scores

CVSS v3 7.3

EPSS 0.0004

EPSS Percentile 10.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-297

Status published

Products (3)

apache/thrift < 0.23.0

Apache Software Foundation/Apache Thrift < 0.23.0

org.apache.thrift/libthrift 0 - 0.22.0Maven

Published May 05, 2026

Tracked Since May 05, 2026