{
  "threat_severity" : "Important",
  "public_date" : "2026-05-05T07:25:48Z",
  "bugzilla" : {
    "description" : "Apache Thrift: Apache Thrift: Security bypass due to improper certificate validation",
    "id" : "2466660",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2466660"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-295",
  "details" : [ "Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift.\nThis issue affects Apache Thrift: before 0.23.0.\nUsers are recommended to upgrade to version 0.23.0, which fixes the issue.", "A flaw was found in Apache Thrift. This vulnerability involves improper validation of a certificate with a host mismatch, which could allow a remote attacker to bypass security checks. By presenting a specially crafted certificate, an attacker may impersonate a legitimate server or client. This could lead to a security bypass, potentially enabling unauthorized access or information disclosure." ],
  "affected_release" : [ {
    "product_name" : "Cryostat 4 on RHEL 9",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:28010",
    "cpe" : "cpe:/a:redhat:cryostat:4::el9",
    "package" : "cryostat/cryostat-storage-rhel9:4.2.0-16"
  }, {
    "product_name" : "Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26586",
    "cpe" : "cpe:/a:redhat:apache_camel_quarkus:3.33",
    "package" : "libthrift"
  }, {
    "product_name" : "Multicluster Global Hub 1.3.4",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22423",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub:1.3::el9",
    "package" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9:1779212259"
  }, {
    "product_name" : "Multicluster Global Hub 1.4.5",
    "release_date" : "2026-06-01T00:00:00Z",
    "advisory" : "RHSA-2026:22347",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub:1.4::el9",
    "package" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9:1779579439"
  }, {
    "product_name" : "Multicluster Global Hub 1.5.4",
    "release_date" : "2026-05-28T00:00:00Z",
    "advisory" : "RHSA-2026:21769",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub:1.5::el9",
    "package" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9:1778867753"
  }, {
    "product_name" : "Multicluster Global Hub 1.6.2",
    "release_date" : "2026-06-04T00:00:00Z",
    "advisory" : "RHSA-2026:23345",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub:1.6::el9",
    "package" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9:1780167118"
  }, {
    "product_name" : "Multicluster Global Hub 1.7.1",
    "release_date" : "2026-06-08T00:00:00Z",
    "advisory" : "RHSA-2026:24503",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub:1.7::el9",
    "package" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9:1779925273"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2.15",
    "release_date" : "2026-06-08T00:00:00Z",
    "advisory" : "RHSA-2026:24539",
    "cpe" : "cpe:/a:redhat:acm:2.15::el9",
    "package" : "rhacm2/acm-grafana-rhel9:1780677003"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2.16",
    "release_date" : "2026-06-11T00:00:00Z",
    "advisory" : "RHSA-2026:25273",
    "cpe" : "cpe:/a:redhat:acm:2.16::el9",
    "package" : "rhacm2/acm-grafana-rhel9:1780926805"
  }, {
    "product_name" : "Red Hat OpenShift distributed tracing 3.10.0",
    "release_date" : "2026-06-18T00:00:00Z",
    "advisory" : "RHSA-2026:27126",
    "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3.10::el9",
    "package" : "rhosdt/tempo-rhel9:1781589494"
  } ],
  "package_state" : [ {
    "product_name" : "Multicluster Global Hub",
    "fix_state" : "Affected",
    "package_name" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel8",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub"
  }, {
    "product_name" : "OpenShift Service Mesh 2",
    "fix_state" : "Not affected",
    "package_name" : "openshift-service-mesh/istio-rhel8-operator",
    "cpe" : "cpe:/a:redhat:service_mesh:2"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Not affected",
    "package_name" : "redhat-user-workloads/grafana-acm-212",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Not affected",
    "package_name" : "redhat-user-workloads/grafana-acm-213",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat AI Inference Server",
    "fix_state" : "Will not fix",
    "package_name" : "rhaiis/vllm-cpu-rhel9",
    "cpe" : "cpe:/a:redhat:ai_inference_server:3"
  }, {
    "product_name" : "Red Hat AI Inference Server",
    "fix_state" : "Will not fix",
    "package_name" : "rhaiis/vllm-tpu-rhel9",
    "cpe" : "cpe:/a:redhat:ai_inference_server:3"
  }, {
    "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3",
    "fix_state" : "Affected",
    "package_name" : "libthrift",
    "cpe" : "cpe:/a:redhat:camel_quarkus:3"
  }, {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Not affected",
    "package_name" : "libthrift",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "grafana",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Will not fix",
    "package_name" : "libthrift",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "libthrift",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-modelmesh-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Affected",
    "package_name" : "rhoai/odh-modelmesh-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-model-registry-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "openshift4/cnf-tests-rhel8",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "openshift4/oc-mirror-plugin-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "openshift4/ztp-site-generate-rhel8",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "redhat-user-workloads/cnf-tests-4-15",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "redhat-user-workloads/ztp-site-generate-4-15",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "redhat-user-workloads/ztp-site-generate-4-16",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift distributed tracing 3",
    "fix_state" : "Affected",
    "package_name" : "rhosdt/opentelemetry-collector-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3"
  }, {
    "product_name" : "Red Hat OpenShift distributed tracing 3",
    "fix_state" : "Affected",
    "package_name" : "rhosdt/tempo-jaeger-query-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3"
  }, {
    "product_name" : "Red Hat OpenShift distributed tracing 3",
    "fix_state" : "Affected",
    "package_name" : "rhosdt/tempo-query-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:3"
  }, {
    "product_name" : "Red Hat OpenStack Platform 18.0",
    "fix_state" : "Not affected",
    "package_name" : "rhoso-operators/openstack-operator-bundle",
    "cpe" : "cpe:/a:redhat:openstack:18.0"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-43869\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43869\nhttps://lists.apache.org/thread/3hsgl1b69wzq3ry39scqbv2dhyl3j52r" ],
  "name" : "CVE-2026-43869",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}