Main Vulnerability Database Vulnerabilities #VU133452

Improper Certificate Validation in Netty - CVE-2026-50010

Published: June 8, 2026

Vulnerability identifier: #VU133452

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-50010

CWE-ID: CWE-295

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Netty project

Affected software:
Netty

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper certificate validation in X509TrustManagerWrapper within netty-handler when establishing client TLS connections with a user-supplied plain X509TrustManager. A remote attacker can present a certificate for an unexpected hostname to disclose sensitive information.

The issue occurs because hostname verification is not performed in this configuration, even when HTTPS endpoint identification is expected by default.

How to mitigate CVE-2026-50010

Install security update from vendor's website.

Sources

https://github.com/netty/netty/security/advisories/GHSA-c653-97m9-rcg9

Improper Certificate Validation in Netty - CVE-2026-50010

Detailed vulnerability description

How to mitigate CVE-2026-50010

Sources

Please verify you're human