Skip to main content

Eclipse Vert X CVE-2026-15076

| EUVDEUVD-2026-43637 HIGH
Origin Validation Error (CWE-346)
2026-07-14 eclipse GHSA-vjx2-fp9g-q2mc
8.2
CVSS 4.0 · Vendor: eclipse
Share

Severity by source

Vendor (eclipse) PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (eclipse) · only source for this CVE.

CVSS VectorVendor: eclipse

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 08:47 vuln.today
CVE Published
Jul 14, 2026 - 08:09 cve.org
HIGH 8.2

DescriptionCVE.org

In versions up to and including 4.5.29 (4.x branch) and 5.1.4 (5.x branch), the WebClientSession component of Eclipse Vert.x Web Client does not validate that the Domain attribute of a Set-Cookie response header matches the originating server's domain, in violation of RFC 6265 section 5.3. An attacker who controls any server that the victim application contacts can inject a cookie scoped to an arbitrary third-party domain; because the session store performs no cross-domain ownership check, it stores and later transmits that cookie to the targeted domain.

When the victim application subsequently sends a request to the targeted domain using the same WebClientSession, it presents the attacker-injected cookie, causing the receiving service to process the request under the attacker's account. Sensitive data included in the victim application's requests, such as payment amounts, card details, or other API payloads, may then be accessible to the attacker through their own account on that service.

AnalysisAI

Cross-domain cookie injection in Eclipse Vert.x Web Client (WebClientSession) lets any server a victim application contacts set a cookie scoped to an unrelated third-party domain, which the client later replays to that domain. Versions up to 4.5.29 (4.x) and 5.1.4 (5.x) fail to enforce the RFC 6265 Domain-attribute ownership check, so an attacker can bind their own session cookie into the victim's WebClientSession and have the victim's later requests to a target service execute under the attacker's account, exposing sensitive request payloads. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours, inventory all applications using Eclipse Vert.x Web Client and identify those with versions 4.5.29 or earlier (4.x) or 5.1.4 or earlier (5.x), prioritizing those that communicate with external services or handle sensitive data. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15076 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy