CVE-2026-27448: pyOpenSSL allows TLS connection bypass via unhandled callback exception in set_tlsext_servername_callback
(updated )
If a user provided callback to set_tlsext_servername_callback raised an unhandled exception, this would result in a connection being accepted. If a user was relying on this callback for any security-sensitive behavior, this could allow bypassing it.
Unhandled exceptions now result in rejecting the connection.
Credit to Leury Castillo for reporting this issue.
References
- github.com/advisories/GHSA-vp96-hxj8-p424
- github.com/pyca/pyopenssl
- github.com/pyca/pyopenssl/blob/358cbf29c4e364c59930e53a270116249581eaa3/CHANGELOG.rst
- github.com/pyca/pyopenssl/commit/d41a814759a9fb49584ca8ab3f7295de49a85aa0
- github.com/pyca/pyopenssl/security/advisories/GHSA-vp96-hxj8-p424
- nvd.nist.gov/vuln/detail/CVE-2026-27448
Code Behaviors & Features
Detect and mitigate CVE-2026-27448 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →