Security Bypass Vulnerability in pyOpenSSL Library Affecting Multiple Versions
CVE-2026-27448

1.7LOW

Key Information:

Vendor

Pyca

Status
PyOpenSSL
Vendor
CVE Published:
17 March 2026

What is CVE-2026-27448?

The pyOpenSSL library, a Python wrapper around OpenSSL, contains a vulnerability that arises when users provide a callback to the 'set_tlsext_servername_callback' method which raises an unhandled exception. In versions prior to 26.0.0, this situation allowed connections to be accepted, potentially bypassing security measures that relied on this callback. This could enable unauthorized access to sensitive data or functions within applications using pyOpenSSL. In version 26.0.0 and later, the library has been updated to reject connections when an unhandled exception occurs, mitigating this risk.

Affected Version(s)

pyopenssl >= 0.14.0, < 26.0.0

References

https://github.com/pyca/pyopenssl/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/pyca/pyopenssl/commit/d41a814759a9fb49...
x_refsource_MISC
https://github.com/pyca/pyopenssl/blob/358cbf29c4e364c599...
x_refsource_MISC

CVSS V4

Score:
1.7
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.