CVE-2026-41603
Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Use
CVSS
7.4
High
EPSS
0.6%
p43
KEV
—
Exploit Today
13
0-100
Published: Apr 28, 2026 · Last modified: Jul 15, 2026 · CWE-297 · CWE-306 · CWE-295
0.6%EPSS · 30 days0.6%
2026-06-302026-07-17
Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
- lists.apache.orghttps://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql
- www.openwall.comhttp://www.openwall.com/lists/oss-security/2026/04/28/7
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:14885
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:21769
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:22347
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:22423
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:23345
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:24539
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36882
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-41603
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2463411
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41603.json
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2025-32489.8 CRI100.0%
KEV—80Langflow Missing Authentication Vulnerability3dCVE-2024-116809.8 CRI99.8%
KEV—80ProjectSend Improper Authentication Vulnerability3dCVE-2026-561645.3 MED92.0%
KEV—78Microsoft SharePoint Server Missing Authentication for Critical Function Vulnerability3dCVE-2026-468179.8 CRI60.3%
KEV—68Oracle E-Business Suite Improper Privilege Management Vulnerability2dCVE-2023-278239.8 CRI98.9%
——30An authentication bypass in Optoma 1080PSTX C02 allows an attacker to access the administration console without valid credentials.9dCVE-2022-245629.8 CRI98.9%
——30In IOBit IOTransfer 4.3.1.1561, an unauthenticated attacker can send GET and POST requests to Airserv and gain arbitrary read/write access to the entire file-system (with admin privileges) on the victim's endpoint, which can result in data theft and remote code execution.9d