CVE-2026-41603
Published: 28 April 2026
Summary
CVE-2026-41603 is a high-severity Improper Validation of Certificate with Host Mismatch (CWE-297) vulnerability in Apache Thrift. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 18.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely identification, testing, and deployment of patches such as upgrading Apache Thrift to version 0.23.0 which fixes the improper certificate validation.
Requires establishment and management of PKI certificates with validation processes that address host mismatch issues to prevent man-in-the-middle attacks during Thrift TLS connections.
Mandates implementation of cryptographic protections using compliant modules and standards, ensuring proper TLS usage that includes certificate validation to counter the host mismatch flaw.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper TLS certificate hostname validation directly enables successful man-in-the-middle attacks for interception and tampering.
NVD Description
Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Deeper analysisAI
CVE-2026-41603 is an Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift, affecting versions prior to 0.23.0. This flaw, associated with CWE-297 (Improper Validation of Certificate with Host Mismatch) and CWE-306 (Missing Authentication for Critical Function), enables inadequate checking of TLS certificates against expected hostnames during connections.
Remote attackers can exploit this vulnerability over the network without privileges or user interaction, though it requires high attack complexity. Successful exploitation results in high confidentiality and integrity impacts, such as potential man-in-the-middle attacks allowing data interception or tampering, with no availability disruption.
Apache advisories recommend upgrading to version 0.23.0, which addresses the issue. Additional details are available in the Apache mailing list announcement at https://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql and the OSS-Security mailing list at http://www.openwall.com/lists/oss-security/2026/04/28/7. The vulnerability has a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
Details
- CWE(s)