GHSA-X5HG-X4GV-J98M

Vulnerability from github – Published: 2026-05-07 00:09 – Updated: 2026-05-07 00:09
VLAI
Summary
OpenSearch has ineffective TLS certificate hostname verification
Details

Description

A regression was introduced in OpenSearch 2.18.0 that caused the plugins.security.ssl.transport.enforce_hostname_verification setting to be ineffective. When this setting was enabled, OpenSearch did not verify that the hostname in a connecting node's TLS certificate matched the hostname of the connection. This could allow a node with a valid certificate (signed by the cluster's trusted CA) but an incorrect hostname SAN to join the cluster.

Impact

Clusters running affected versions with hostname verification enabled did not receive the expected protection from this setting. A node presenting a certificate signed by the cluster's trusted CA could join the cluster regardless of whether its hostname SAN matched. This regression does not affect certificate validation itself — only the additional hostname verification check.

Patches

This issue is fixed in OpenSearch 2.19.4 and 3.3.0.

Workarounds

Use more restrictive values for plugins.security.nodes_dn to limit which certificates are accepted for node-to-node communication.

Severity
2.2 (Low)
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opensearch.plugin:opensearch-security"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.18.0"
            },
            {
              "fixed": "2.19.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opensearch.plugin:opensearch-security"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.3.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T00:09:18Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Description\n\nA regression was introduced in OpenSearch 2.18.0 that caused the `plugins.security.ssl.transport.enforce_hostname_verification` setting to be ineffective. When this setting was enabled, OpenSearch did not verify that the hostname in a connecting node\u0027s TLS certificate matched the hostname of the connection. This could allow a node with a valid certificate (signed by the cluster\u0027s trusted CA) but an incorrect hostname SAN to join the cluster.\n\n### Impact\n\nClusters running affected versions with hostname verification enabled did not receive the expected protection from this setting. A node presenting a certificate signed by the cluster\u0027s trusted CA could join the cluster regardless of whether its hostname SAN matched. This regression does not affect certificate validation itself \u2014 only the additional hostname verification check.\n\n### Patches\n\nThis issue is fixed in OpenSearch 2.19.4 and 3.3.0.\n\n### Workarounds\n\nUse more restrictive values for `plugins.security.nodes_dn` to limit which certificates are accepted for node-to-node communication.",
  "id": "GHSA-x5hg-x4gv-j98m",
  "modified": "2026-05-07T00:09:18Z",
  "published": "2026-05-07T00:09:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opensearch-project/security/security/advisories/GHSA-x5hg-x4gv-j98m"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/opensearch-project/security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenSearch has ineffective TLS certificate hostname verification"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.