CVE-2026-27448

pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 0.14.0 and prior to version 26.0.0, if a user provided callback to `set_tlsext_servername_callback` raised an unhandled exception, this would result in a connection being accepted. If a user was relying on this callback for any security-sensitive behavior, this could allow bypassing it. Starting in version 26.0.0, unhandled exceptions now result in rejecting the connection.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/pyca/pyopenssl/blob/358cbf29c4e364c59930e53a270116249581eaa3/CHANGELOG.rst#L27	Release Notes
https://github.com/pyca/pyopenssl/commit/d41a814759a9fb49584ca8ab3f7295de49a85aa0	Patch
https://github.com/pyca/pyopenssl/security/advisories/GHSA-vp96-hxj8-p424	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:pyopenssl:pyopenssl:*:*:*:*:*:*:*:*

History

23 Mar 2026, 18:10

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
First Time		Pyopenssl pyopenssl Pyopenssl
CPE		cpe:2.3:a:pyopenssl:pyopenssl::::::::
References	~~() https://github.com/pyca/pyopenssl/blob/358cbf29c4e364c59930e53a270116249581eaa3/CHANGELOG.rst#L27 -~~	() https://github.com/pyca/pyopenssl/blob/358cbf29c4e364c59930e53a270116249581eaa3/CHANGELOG.rst#L27 - Release Notes
References	~~() https://github.com/pyca/pyopenssl/commit/d41a814759a9fb49584ca8ab3f7295de49a85aa0 -~~	() https://github.com/pyca/pyopenssl/commit/d41a814759a9fb49584ca8ab3f7295de49a85aa0 - Patch
References	~~() https://github.com/pyca/pyopenssl/security/advisories/GHSA-vp96-hxj8-p424 -~~	() https://github.com/pyca/pyopenssl/security/advisories/GHSA-vp96-hxj8-p424 - Vendor Advisory

18 Mar 2026, 14:52

Type	Values Removed	Values Added
Summary		(es) pyOpenSSL es un envoltorio de Python alrededor de la biblioteca OpenSSL. A partir de la versión 0.14.0 y antes de la versión 26.0.0, si un callback proporcionado por el usuario a `set_tlsext_servername_callback` generaba una excepción no controlada, esto daba como resultado que se aceptara una conexión. Si un usuario dependía de este callback para cualquier comportamiento sensible a la seguridad, esto podría permitir eludirlo. A partir de la versión 26.0.0, las excepciones no controladas ahora dan como resultado el rechazo de la conexión.

18 Mar 2026, 00:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-18 00:16

Updated : 2026-03-23 18:10

NVD link : CVE-2026-27448

Mitre link : CVE-2026-27448

CVE.ORG link : CVE-2026-27448

JSON object : View

Products Affected

pyopenssl

pyopenssl

CWE

CWE-636

Not Failing Securely ('Failing Open')

5.3 /10