GHSA-x5hg-x4gv-j98m

Source

https://github.com/advisories/GHSA-x5hg-x4gv-j98m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-x5hg-x4gv-j98m/GHSA-x5hg-x4gv-j98m.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-x5hg-x4gv-j98m

Published

2026-05-07T00:09:18Z

Modified

2026-05-07T00:21:11.903034Z

Severity

2.2 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

OpenSearch has ineffective TLS certificate hostname verification

Details

Description

A regression was introduced in OpenSearch 2.18.0 that caused the plugins.security.ssl.transport.enforce_hostname_verification setting to be ineffective. When this setting was enabled, OpenSearch did not verify that the hostname in a connecting node's TLS certificate matched the hostname of the connection. This could allow a node with a valid certificate (signed by the cluster's trusted CA) but an incorrect hostname SAN to join the cluster.

Impact

Clusters running affected versions with hostname verification enabled did not receive the expected protection from this setting. A node presenting a certificate signed by the cluster's trusted CA could join the cluster regardless of whether its hostname SAN matched. This regression does not affect certificate validation itself — only the additional hostname verification check.

Patches

This issue is fixed in OpenSearch 2.19.4 and 3.3.0.

Workarounds

Use more restrictive values for plugins.security.nodes_dn to limit which certificates are accepted for node-to-node communication.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T00:09:18Z",
    "cwe_ids": [
        "CWE-295"
    ],
    "severity": "LOW",
    "nvd_published_at": null
}

References

Affected packages

Maven / org.opensearch.plugin:opensearch-security

Package

Name: org.opensearch.plugin:opensearch-security; View open source insights on deps.dev
Purl: pkg:maven/org.opensearch.plugin/opensearch-security

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.18.0

Fixed

2.19.4.0

Affected versions

2.*

2.18.0.0

2.19.0.0

2.19.1.0

2.19.2.0

2.19.3.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-x5hg-x4gv-j98m/GHSA-x5hg-x4gv-j98m.json"

Maven / org.opensearch.plugin:opensearch-security

Package

Name: org.opensearch.plugin:opensearch-security; View open source insights on deps.dev
Purl: pkg:maven/org.opensearch.plugin/opensearch-security

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.3.0.0

Affected versions

3.*

3.0.0.0

3.1.0.0

3.2.0.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-x5hg-x4gv-j98m/GHSA-x5hg-x4gv-j98m.json"