TLS SNI Wildcard Enumeration via TCP Client in Eclipse
CVE-2026-6860 Published on May 6, 2026
A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accepting *.example.com, any XYZ.example.com where xyz is a valid name can be used.
Weakness Type
Improper Certificate Validation
The software does not validate, or incorrectly validates, a certificate. When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.
Products Associated with CVE-2026-6860
Want to know whenever a new CVE is published for Eclipse Vert X? stack.watch will email you.
Affected Versions
Eclipse Foundation Eclipse Vert.x:- Version 4.3.4, <= 4.5.26 is affected.
- Version 5.0.0, <= 5.0.11 is affected.