CVE-2026-27448 LOW

CVE-2026-27448: pyOpenSSL allows TLS connection bypass via unhandled callback exception in set_tlsext_servername_callback

Vendor Pyca
Product pyopenssl
Weakness CWE-636
Published March 17, 2026
Last update March 18, 2026

CVSS base score

1.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 0.14.0 and prior to version 26.0.0, if a user provided callback to `set_tlsext_servername_callback` raised an unhandled exception, this would result in a connection being accepted. If a user was relying on this callback for any security-sensitive behavior, this could allow bypassing it. Starting in version 26.0.0, unhandled exceptions now result in rejecting the connection.

Key dates

02Disclosure timeline

March 17, 2026 CVE published
March 18, 2026 Record updated