OpenSearch has ineffective TLS certificate hostname verification

GHSA-x5hg-x4gv-j98m

Published May 7, 2026 · Modified May 7, 2026

Description

A regression was introduced in OpenSearch 2.18.0 that caused the plugins.security.ssl.transport.enforce_hostname_verification setting to be ineffective. When this setting was enabled, OpenSearch did not verify that the hostname in a connecting node's TLS certificate matched the hostname of the connection. This could allow a node with a valid certificate (signed by the cluster's trusted CA) but an incorrect hostname SAN to join the cluster.

Impact

Clusters running affected versions with hostname verification enabled did not receive the expected protection from this setting. A node presenting a certificate signed by the cluster's trusted CA could join the cluster regardless of whether its hostname SAN matched. This regression does not affect certificate validation itself — only the additional hostname verification check.

Patches

This issue is fixed in OpenSearch 2.19.4 and 3.3.0.

Workarounds

Use more restrictive values for plugins.security.nodes_dn to limit which certificates are accepted for node-to-node communication.

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes