HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-50010Published Modified CNA GitHub_M

CVE-2026-50010: Netty's wrapping plain trust manager silently disables hostname verification

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm="HTTPS" by default, a client built with `SslContextBuilder.forClient().trustManager(somePlainX509TrustManager)` performs no hostname verification at all. Versions 4.1.135.Final and 4.2.15.Final patch the issue.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an authentication-bypass class vulnerability in Netty, the Java network application framework. It is reachable over the network with no authentication required, and affects any TLS client built with a plain X509TrustManager via SslContextBuilder. Successful exploitation allows an attacker positioned between the client and server to impersonate any TLS endpoint, intercepting encrypted traffic because hostname verification is silently disabled. No fix versions have been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle Netty as a transitive dependency. Any image containing a vulnerable version of the netty artifact is flagged immediately on the next pipeline scan.

Available
Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH using the published v3.1 vector, and per-environment compliance policy weighting can escalate or suppress routing based on each customer org's configured thresholds. Triage findings are routed to the appropriate team inbox within the customer organization for review.

Available
Patch

Because no upstream fix has been published, HarborGuard re-checks the Netty advisory on every ingest cycle and will make a patched-image rebuild available at versions 4.1.135.Final or 4.2.15.Final the moment those releases are confirmed upstream. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically once a fix version is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be positioned on the network path between the Netty TLS client and its intended server to intercept or impersonate the connection.

  • AuthenticationNot required

    No authentication is needed; the vulnerability is exploitable by any network-positioned party without credentials.

  • Victim interactionNot required

    No user interaction is required; the client silently skips hostname verification on every outbound TLS handshake.

  • Attack complexityDetail

    Attack complexity is low, meaning no race conditions or special environmental conditions are needed; any attacker with a valid network position can reliably exploit the missing hostname check.

Blast Radius

  • An attacker impersonates any TLS server the affected Netty client connects to, because hostname verification is not performed.
  • All data transmitted over the intercepted TLS session is exposed in plaintext to the attacker, including credentials, session tokens, and application payloads.
  • The attacker can read responses sent back to the client, enabling exfiltration of server-side data returned over the hijacked connection.

How HarborGuard Handles This

Available on HarborGuard: the CVE is matched against all scanned images containing affected Netty versions (4.2.0.Final through 4.2.14.Final, and any 4.1.x release prior to 4.1.135.Final) as soon as the image enters a customer pipeline or registry. Because no upstream patch exists today, HarborGuard monitors the Netty advisory on every ingest cycle. The moment versions 4.1.135.Final or 4.2.15.Final are published and confirmed, a patched-image rebuild becomes available. For customers with auto-remediation enabled, that triggers an automatic rebuild, a regression-test run, and a PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy isolation to restrict which services the affected client can reach, egress filtering to limit outbound TLS destinations to known-good endpoints, and replacing any plain X509TrustManager with a subclass of X509ExtendedTrustManager that correctly implements the 3-arg checkServerTrusted method so hostname verification is not discarded.

See how HarborGuard automates this
Affected packages
  • netty / netty
    >= 4.2.0.Final, < 4.2.15.Final · < 4.1.135.Final
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References