PyOpenSSL Security Flaw CVE-2026-27448: Unhandled Exception Could Bypass Security Callbacks

A critical security vulnerability in the widely-used pyOpenSSL library, designated CVE-2026-27448, has been patched in version 26.0.0. The flaw resided in the `set_tlsext_servername_callback` function, where an unhandled exception raised by a user-provided callback would result in the connection being accepted. This behavior created a potential security bypass, allowing malicious connections to slip through if an application relied on this callback for security-sensitive logic, such as hostname validation or access control.

The vulnerability was discovered and reported by security researcher Leury Castillo. The core issue was that the library's error handling failed to reject the connection when a callback crashed, leaving a gap in the intended security posture. The fix, implemented in pyOpenSSL v26.0.0, ensures that any unhandled exception from this specific callback now correctly results in the connection being rejected, closing the bypass vector.

This update is flagged as a security priority in dependency management systems like RenovateBot, which automatically generates pull requests to bump the package from the vulnerable version 23.0.0 to the patched 26.0.0. The patch is critical for any Python application using pyOpenSSL for TLS/SSL operations where custom server name indication (SNI) callbacks are employed. Failure to update leaves systems exposed to a potential circumvention of their TLS handshake security checks.