{
  "threat_severity" : "Important",
  "public_date" : "2026-04-28T09:19:40Z",
  "bugzilla" : {
    "description" : "Apache Thrift: apache.com/apache/thrift: Apache Thrift: Security Bypass via Improper Certificate Hostname Validation",
    "id" : "2463411",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2463411"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-295",
  "details" : [ "Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift.\nThis issue affects Apache Thrift: before 0.23.0.\nUsers are recommended to upgrade to version 0.23.0, which fixes the issue.", "A flaw was found in Apache Thrift. This vulnerability involves improper validation of server certificates, where the hostname presented in the certificate does not match the expected hostname. A remote attacker could exploit this to impersonate a legitimate server, potentially intercepting or altering sensitive communications and leading to unauthorized access or information disclosure." ],
  "affected_release" : [ {
    "product_name" : "Multicluster Global Hub 1.3.4",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22423",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub:1.3::el9",
    "package" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9:1779212259"
  }, {
    "product_name" : "Multicluster Global Hub 1.4.5",
    "release_date" : "2026-06-01T00:00:00Z",
    "advisory" : "RHSA-2026:22347",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub:1.4::el9",
    "package" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9:1779579439"
  }, {
    "product_name" : "Multicluster Global Hub 1.5.4",
    "release_date" : "2026-05-28T00:00:00Z",
    "advisory" : "RHSA-2026:21769",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub:1.5::el9",
    "package" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9:1778867753"
  }, {
    "product_name" : "Multicluster Global Hub 1.6.2",
    "release_date" : "2026-06-04T00:00:00Z",
    "advisory" : "RHSA-2026:23345",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub:1.6::el9",
    "package" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9:1780167118"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2.15",
    "release_date" : "2026-06-08T00:00:00Z",
    "advisory" : "RHSA-2026:24539",
    "cpe" : "cpe:/a:redhat:acm:2.15::el9",
    "package" : "rhacm2/acm-grafana-rhel9:1780677003"
  }, {
    "product_name" : "Red Hat OpenShift distributed tracing 3.9.3",
    "release_date" : "2026-05-07T00:00:00Z",
    "advisory" : "RHSA-2026:14885",
    "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.9::el9",
    "package" : "rhosdt/tempo-jaeger-query-rhel9:1778158391"
  }, {
    "product_name" : "Red Hat OpenShift distributed tracing 3.9.3",
    "release_date" : "2026-05-07T00:00:00Z",
    "advisory" : "RHSA-2026:14885",
    "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.9::el9",
    "package" : "rhosdt/tempo-query-rhel9:1778158343"
  }, {
    "product_name" : "Red Hat OpenShift distributed tracing 3.9.3",
    "release_date" : "2026-05-07T00:00:00Z",
    "advisory" : "RHSA-2026:14885",
    "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.9::el9",
    "package" : "rhosdt/tempo-rhel9:1778158374"
  } ],
  "package_state" : [ {
    "product_name" : "OpenShift Service Mesh 2",
    "fix_state" : "Not affected",
    "package_name" : "openshift-service-mesh/istio-rhel8-operator",
    "cpe" : "cpe:/a:redhat:service_mesh:2"
  }, {
    "product_name" : "Red Hat AI Inference Server",
    "fix_state" : "Will not fix",
    "package_name" : "rhaiis/vllm-cpu-rhel9",
    "cpe" : "cpe:/a:redhat:ai_inference_server:3"
  }, {
    "product_name" : "Red Hat AI Inference Server",
    "fix_state" : "Affected",
    "package_name" : "rhaiis/vllm-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:ai_inference_server:3"
  }, {
    "product_name" : "Red Hat AI Inference Server",
    "fix_state" : "Affected",
    "package_name" : "rhaiis/vllm-rocm-rhel9",
    "cpe" : "cpe:/a:redhat:ai_inference_server:3"
  }, {
    "product_name" : "Red Hat AI Inference Server",
    "fix_state" : "Will not fix",
    "package_name" : "rhaiis/vllm-tpu-rhel9",
    "cpe" : "cpe:/a:redhat:ai_inference_server:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "rhelai3/bootc-aws-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "rhelai3/bootc-azure-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "rhelai3/bootc-azure-rocm-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "rhelai3/bootc-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "rhelai3/bootc-gcp-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Affected",
    "package_name" : "rhelai3/bootc-rocm-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-kf-notebook-controller-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-model-registry-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-notebook-controller-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "openshift4/oc-mirror-plugin-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "openshift4/ztp-site-generate-rhel8",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift distributed tracing 3",
    "fix_state" : "Not affected",
    "package_name" : "rhosdt/opentelemetry-collector-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3"
  }, {
    "product_name" : "Red Hat OpenShift GitOps",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-gitops-1/argocd-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_gitops:1"
  }, {
    "product_name" : "Red Hat OpenShift GitOps",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-gitops-1/argocd-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_gitops:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-41603\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41603\nhttp://www.openwall.com/lists/oss-security/2026/04/28/7\nhttps://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql" ],
  "name" : "CVE-2026-41603",
  "csaw" : false
}