TLS Handshake Vulnerability in Eclipse Vert.x by Eclipse Foundation
CVE-2026-6860

6.9MEDIUM

Key Information:

Vendor: Eclipse Foundation
Status: Eclipse Vert.x
Vendor: CVE Published:; 6 May 2026

🔔 Create Eclipse Foundation Vulnerability Alert

What is CVE-2026-6860?

A vulnerability in Eclipse Vert.x allows a TCP client to successfully perform a TLS handshake by presenting a server name extension that can match any server wildcard name. This means that a server configured to accept a wildcard certificate, such as *.example.com, can be misled by clients using subdomains like XYZ.example.com, potentially exposing sensitive operations to unauthorized entities. This misconfiguration could allow for man-in-the-middle attacks or data interception, necessitating immediate attention to server certificate settings and validation mechanisms.

Affected Version(s)

Eclipse Vert.x 4.3.4 <= 4.5.26

Eclipse Vert.x 5.0.0 <= 5.0.11

References

https://gitlab.eclipse.org/security/vulnerability-reports...

https://github.com/eclipse-vertx/vert.x/security/advisori...

https://github.com/eclipse-vertx/vert.x/pull/6102

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
Apr 22, 2026

Credit

Jihun Kim

CVE-2026-6860 Data

JSON