Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
1.7
pyOpenSSL TLS connection bypass through unhandled exception
GHSA-vp96-hxj8-p424
CVE-2026-27448
GHSA-vp96-hxj8-p424
Summary
A previous version of pyOpenSSL allowed an attacker to bypass security features by causing a callback function to crash. This has been fixed, so connections will now be rejected if the callback fails. We recommend updating to the latest version to ensure security.
What to do
- Update pyopenssl to version 26.0.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | pyopenssl | > 0.14.0 , <= 26.0.0 | 26.0.0 |
Original title
pyOpenSSL allows TLS connection bypass via unhandled callback exception in set_tlsext_servername_callback
Original description
If a user provided callback to `set_tlsext_servername_callback` raised an unhandled exception, this would result in a connection being accepted. If a user was relying on this callback for any security-sensitive behavior, this could allow bypassing it.
Unhandled exceptions now result in rejecting the connection.
Credit to **Leury Castillo** for reporting this issue.
Unhandled exceptions now result in rejecting the connection.
Credit to **Leury Castillo** for reporting this issue.
ghsa CVSS4.0
1.7
Vulnerability type
CWE-636
- https://github.com/pyca/pyopenssl/security/advisories/GHSA-vp96-hxj8-p424
- https://github.com/pyca/pyopenssl/commit/d41a814759a9fb49584ca8ab3f7295de49a85aa...
- https://github.com/pyca/pyopenssl/blob/358cbf29c4e364c59930e53a270116249581eaa3/...
- https://github.com/advisories/GHSA-vp96-hxj8-p424
- https://github.com/pyca/pyopenssl Product
Published: 16 Mar 2026 · Updated: 16 Mar 2026 · First seen: 16 Mar 2026