High severity7.3NVD Advisory· Published May 5, 2026· Updated May 6, 2026
CVE-2026-43869
CVE-2026-43869
Description
Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift.
This issue affects Apache Thrift: before 0.23.0.
Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.thrift:libthriftMaven | <= 0.22.0 | — |
Affected products
2Patches
10919c3d55061Enable TLS hostname verification in TSSLTransportFactory
1 file changed · +4 −0
lib/java/src/main/java/org/apache/thrift/transport/TSSLTransportFactory.java+4 −0 modified@@ -30,6 +30,7 @@ import java.util.Arrays; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLParameters; import javax.net.ssl.SSLServerSocket; import javax.net.ssl.SSLServerSocketFactory; import javax.net.ssl.SSLSocket; @@ -343,6 +344,9 @@ private static TSocket createClient(SSLSocketFactory factory, String host, int p try { SSLSocket socket = (SSLSocket) factory.createSocket(host, port); socket.setSoTimeout(timeout); + SSLParameters sslParams = socket.getSSLParameters(); + sslParams.setEndpointIdentificationAlgorithm("HTTPS"); + socket.setSSLParameters(sslParams); return new TSocket(socket); } catch (TTransportException tte) { throw tte;
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- www.openwall.com/lists/oss-security/2026/05/05/3nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-7pwc-h2j2-rjgjghsaADVISORY
- lists.apache.org/thread/3hsgl1b69wzq3ry39scqbv2dhyl3j52rnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-43869ghsaADVISORY
- github.com/apache/thrift/commit/0919c3d5506151514e283a63e1fe1ce83e2449d8ghsaWEB
- github.com/apache/thrift/releases/tag/v0.23.0ghsaWEB
News mentions
1- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026