Is org.apache.thrift:libthrift affected by CVE-2026-43869?

Maven org.apache.thrift:libthrift is affected in <0.23.0.

Is CVE-2026-43869 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.3%.

high

CVE-2026-43869

Q: Is CVE-2026-43869 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.3%.

Maven · org.apache.thrift:libthrift

Summary

Apache Thrift has an Improper Validation of Certificate with Host Mismatch Vulnerability

Severity: high
EPSS: 0.3% (p21)
Also known as: GHSA-7pwc-h2j2-rjgj, BIT-thrift-2026-43869
Published: 2026-05-05

References

https://nvd.nist.gov/vuln/detail/CVE-2026-43869
https://github.com/apache/thrift/commit/0919c3d5506151514e283a63e1fe1ce83e2449d8
https://github.com/apache/thrift

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.