Uncontrolled Recursion Vulnerability in Apache Thrift by Apache
CVE-2026-41636

8.7HIGH

Key Information:

Vendor: Apache
Status: Apache Thrift
Vendor: CVE Published:; 28 April 2026

What is CVE-2026-41636?

An uncontrolled recursion vulnerability exists in the Apache Thrift Node.js bindings, allowing for potential resource exhaustion. This affects versions prior to 0.23.0. Users are urged to upgrade to version 0.23.0 to mitigate any risks associated with this issue.

Affected Version(s)

Apache Thrift 0 < 0.23.0

References

https://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925p...

vendor-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 28, 2026
Vulnerability Reserved
Apr 21, 2026

Credit

박시온 (L3G4CY Security Research)

CVE-2026-41636 Data

JSON