CVE-2026-50010

Vulnerability

In Netty versions prior to 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() wraps any user-supplied plain X509TrustManager in an X509TrustManagerWrapper. This wrapper extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and delegating to the 2-arg method. Because the object now implements X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper re-wraps it to add endpoint identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm="HTTPS" by default, hostname verification is silently disabled when a client uses SslContextBuilder.forClient().trustManager(somePlainX509TrustManager). [1][2][3]

Exploitation

An attacker with network position (e.g., on the same network or able to intercept TLS connections) can exploit this vulnerability. The attacker only needs to present a valid certificate trusted by the client's trust manager; the client will not verify that the certificate's hostname matches the intended server. No authentication, user interaction, or special privileges are required beyond network access. The attack is straightforward: the attacker performs a man-in-the-middle attack, intercepting the TLS handshake and presenting a forged certificate. [3]

Impact

Successful exploitation allows an attacker to perform man-in-the-middle attacks, bypassing TLS hostname verification entirely. This can lead to disclosure of sensitive information, credential theft, and compromise of data integrity. The impact is high as the vulnerability undermines the security guarantee of TLS connections in affected client applications. [3]

Mitigation

Netty released fixed versions 4.1.135.Final and 4.2.15.Final on 2026-06-12. Users should upgrade to these versions or later. For users who cannot upgrade, ensure that custom trust managers are not wrapped by SimpleTrustManagerFactory or implement hostname verification externally. No other workarounds are available in the references. [1][2][3]