{"vulnerability": "cve-2026-50010", "sightings": [{"uuid": "5c11e95f-8a92-414d-bb47-8b074bdf224d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50010", "type": "seen", "source": "https://bsky.app/profile/hugovalters.bsky.social/post/3mo5i6l7zbl2i", "content": "CVE-2026-50010 - High severity flaw in Netty's X509TrustManager wrapper. SSLEngine discarded in trust checks, potentially enabling MITM attacks. CVSS 7.5. No patch yet. Monitor & mitigate. #CVE #Netty #infosec\n\nhttps://www.valtersit.com/cve/CVE-2026-50010/", "creation_timestamp": "2026-06-13T05:05:01.937808Z"}, {"uuid": "ed1e14d7-911a-43d8-ba1d-c6c05c728ef8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-50010", "type": "seen", "source": "https://gist.github.com/alon710/f42a6954ca4bbe69929b54a65ee51645", "content": "# CVE-2026-50010: CVE-2026-50010: Hostname Verification Bypass in Netty TLS Client\n\n> **CVSS Score:** 7.5\n> **Published:** 2026-06-15\n> **Full Report:** https://cvereports.com/reports/CVE-2026-50010\n\n## Summary\nA critical hostname verification bypass vulnerability exists in the Netty network application framework when configured as a TLS client. When a developer registers a custom plain X509TrustManager, Netty wraps it inside an X509TrustManagerWrapper to adapt it to the X509ExtendedTrustManager API. However, this wrapper discards the SSLEngine context, bypassing critical hostname checks. Because the wrapper is identified as an X509ExtendedTrustManager, standard cryptographic engines and Netty's OpenSSL wrappers do not re-wrap it, failing to execute any hostname validation. Consequently, clients silently accept certificates for any host, enabling unauthenticated Man-in-the-Middle (MitM) attacks.\n\n## TL;DR\nNetty silently bypasses TLS hostname verification when custom plain X509TrustManagers are used, exposing clients to unauthenticated Man-in-the-Middle (MitM) traffic interception.\n\n## Technical Details\n\n- **CWE ID**: CWE-347 (Improper Verification of Cryptographic Signature)\n- **Attack Vector**: Network (AV:N)\n- **Attack Complexity**: Low (AC:L)\n- **CVSS v3.1 Score**: 7.5 (High)\n- **EPSS Score**: 0.00196 (0.20% probability of exploit in next 30 days)\n- **Exploit Status**: None / Unweaponized\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- Netty Client Configurations\n- Java Applications using Netty-Handler with custom trust managers\n- **netty-handler**: < 4.1.135.Final (Fixed in: `4.1.135.Final`)\n- **netty-handler**: >= 4.2.0.Final, < 4.2.15.Final (Fixed in: `4.2.15.Final`)\n\n## Mitigation\n\n- Upgrade the Netty library to a patched version (4.1.135.Final or 4.2.15.Final).\n- Refactor custom trust managers to explicitly extend X509ExtendedTrustManager and perform manual hostname verification.\n- Inject a post-handshake ChannelHandler to programmatically verify the peer certificate hostname.\n- Implement network-level segmentation or mTLS proxies to secure transit paths.\n\n**Remediation Steps:**\n1. Identify all direct and transitive dependencies on netty-handler within the project build files (e.g., pom.xml or build.gradle).\n2. Update the Netty version property to 4.1.135.Final (for 4.1.x) or 4.2.15.Final (for 4.2.x).\n3. Audit custom usage of SslContextBuilder.forClient().trustManager(...) to verify whether plain X509TrustManager implementations are passed.\n4. Where custom plain trust managers are used, refactor them to extend X509ExtendedTrustManager.\n5. Rebuild the application and deploy to staging environments for TLS handshake verification testing.\n6. Run automated vulnerability scanning to confirm the absence of vulnerable Netty jars.\n\n## References\n\n- [Official Netty Security Advisory (GHSA-c653-97m9-rcg9)](https://github.com/netty/netty/security/advisories/GHSA-c653-97m9-rcg9)\n- [Netty 4.1.135.Final Release Notes](https://github.com/netty/netty/releases/tag/netty-4.1.135.Final)\n- [Netty 4.2.15.Final Release Notes](https://github.com/netty/netty/releases/tag/netty-4.2.15.Final)\n- [CVE.org Record](https://www.cve.org/CVERecord?id=CVE-2026-50010)\n- [Wiz Vulnerability Database Analysis](https://www.wiz.io/vulnerability-database/cve/cve-2026-50010)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-50010) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-15T23:41:15.000000Z"}]}