Tenable Discovers SSRF Vulnerability in Java TLS Handshakes That Creates DoS Risk

Tenable Research disclosed a Server-Side Request Forgery (SSRF) vulnerability in Java's TLS client-certificate handling where AIA CA Issuers URIs supplied in client certificates can cause the server to fetch attacker-controlled or local resources, leading to denial-of-service in mTLS setups; Oracle patched the issue as CVE-2026-21945 in January 2026 and administrators using Java mTLS with AIA fetching are advised to apply updates immediately.