CVE-2026-27448: CWE-636: Not Failing Securely ('Failing Open') in pyca pyopenssl
CVE-2026-27448 is a vulnerability in pyOpenSSL versions from 0.14.0 up to but not including 26.0.0. It involves unhandled exceptions in user-provided callbacks to set_tlsext_servername_callback, which cause the connection to be accepted rather than rejected. This behavior is a failure to fail securely ('failing open'), potentially allowing bypass of security-sensitive logic in these callbacks. The issue was fixed in pyOpenSSL version 26.0.0 by changing the behavior to reject connections on such exceptions.
AI Analysis
Technical Summary
This vulnerability in pyOpenSSL affects versions from 0.14.0 up to but not including 26.0.0. When user-provided callbacks to set_tlsext_servername_callback raise unhandled exceptions, the connection is incorrectly accepted instead of being rejected. This 'failing open' behavior can allow attackers to bypass security checks implemented in these callbacks. The issue is classified under CWE-636 (Not Failing Securely). The problem was addressed in version 26.0.0 by modifying the code to reject connections when such exceptions occur, thereby enforcing secure failure behavior.
Potential Impact
The vulnerability allows connections to be accepted despite exceptions in security-sensitive callbacks, potentially bypassing logic intended to validate or restrict connections. However, the impact is limited by the low CVSS score of 1.7, indicating low severity and limited exploitability. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade pyOpenSSL to version 26.0.0 or later, where this vulnerability is fixed by rejecting connections on exceptions in set_tlsext_servername_callback. No other mitigation is indicated or required.
CVE-2026-27448: CWE-636: Not Failing Securely ('Failing Open') in pyca pyopenssl
Description
CVE-2026-27448 is a vulnerability in pyOpenSSL versions from 0.14.0 up to but not including 26.0.0. It involves unhandled exceptions in user-provided callbacks to set_tlsext_servername_callback, which cause the connection to be accepted rather than rejected. This behavior is a failure to fail securely ('failing open'), potentially allowing bypass of security-sensitive logic in these callbacks. The issue was fixed in pyOpenSSL version 26.0.0 by changing the behavior to reject connections on such exceptions.
CVSS v4.0
Score 1.7low
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in pyOpenSSL affects versions from 0.14.0 up to but not including 26.0.0. When user-provided callbacks to set_tlsext_servername_callback raise unhandled exceptions, the connection is incorrectly accepted instead of being rejected. This 'failing open' behavior can allow attackers to bypass security checks implemented in these callbacks. The issue is classified under CWE-636 (Not Failing Securely). The problem was addressed in version 26.0.0 by modifying the code to reject connections when such exceptions occur, thereby enforcing secure failure behavior.
Potential Impact
The vulnerability allows connections to be accepted despite exceptions in security-sensitive callbacks, potentially bypassing logic intended to validate or restrict connections. However, the impact is limited by the low CVSS score of 1.7, indicating low severity and limited exploitability. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade pyOpenSSL to version 26.0.0 or later, where this vulnerability is fixed by rejecting connections on exceptions in set_tlsext_servername_callback. No other mitigation is indicated or required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-19T17:25:31.100Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69b9e71a771bdb1749eb4c67
Added to database: 3/17/2026, 11:43:22 PM
Last enriched: 6/4/2026, 9:18:35 PM
Last updated: 6/15/2026, 1:00:08 PM
Views: 180
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.