GHSA-x5hg-x4gv-j98m: OpenSearch has ineffective TLS certificate hostname verification

May 7, 2026

A regression was introduced in OpenSearch 2.18.0 that caused the plugins.security.ssl.transport.enforce_hostname_verification setting to be ineffective. When this setting was enabled, OpenSearch did not verify that the hostname in a connecting node’s TLS certificate matched the hostname of the connection. This could allow a node with a valid certificate (signed by the cluster’s trusted CA) but an incorrect hostname SAN to join the cluster.

References

github.com/advisories/GHSA-x5hg-x4gv-j98m
github.com/opensearch-project/security
github.com/opensearch-project/security/security/advisories/GHSA-x5hg-x4gv-j98m

Code Behaviors & Features

Detect and mitigate GHSA-x5hg-x4gv-j98m with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →