What is the CVSS score of CVE-2026-6734?

CVE-2026-6734 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.

Which versions of undici are affected by CVE-2026-6734?

Undici (Node.js HTTP client) versions 7.23.0-8.1.0 with Socks5ProxyAgent incorrectly route requests across service boundaries through a shared connection pool, causing sensitive credentials and…

How to fix or mitigate CVE-2026-6734?

24 hours: Identify all internal Node.js applications using undici 7.23.0-8.1.0 with Socks5ProxyAgent; assess criticality and data exposure. 7 days: Implement compensating controls (see below); communicate mitigation plan to engineering and business stakeholders. 30 days: Establish daily monitoring for vendor patch release; prepare and test upgrade path to undici 7.22.0 or earlier, or to post-8.1.0 patched versions when available.

undici CVE-2026-6734

HIGH

Origin Validation Error (CWE-346)

2026-06-17 openjs

Information Disclosure Undici

7.5

CVSS 3.1 · Vendor: openjs

Severity by source

Vendor (openjs) PRIMARY

7.5 HIGH

AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

vuln.today AI

7.7 HIGH

Network-reachable misrouting with no auth needed (PR:N - attacker only needs to be an origin), AC:H for the multi-origin Socks5ProxyAgent precondition, C:H and I:H from credential leak and HTTPS downgrade, A:L for failed legitimate requests.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (openjs).

CVSS VectorVendor: openjs

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 17, 2026 - 18:02 vuln.today

DescriptionCVE.org

Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin. All requests are dispatched through the pool connected to the first origin, regardless of the intended destination.

This causes cross-origin request routing: credentials and request data intended for origin B are sent to origin A, responses from the wrong origin are trusted, and HTTPS requests may be silently downgraded to HTTP.

Impacted users are applications that use Socks5ProxyAgent (directly or via setGlobalDispatcher) and make requests to more than one origin.

This was introduced in undici 7.23.0 via PR #4385 and affects all versions through 8.1.0.

Patches: Upgrade to undici v7.26.0 or v8.2.0.

Workarounds: Use a separate Socks5ProxyAgent instance per origin, or avoid using Socks5ProxyAgent with multiple origins.

AnalysisAI

Cross-origin request misrouting in undici (Node.js HTTP client) versions 7.23.0 through 8.1.0 occurs when Socks5ProxyAgent shares a single connection pool across origins without validating the pool's origin against the requested destination. All requests get dispatched through the connection bound to the first origin, causing credentials and request bodies destined for origin B to be sent to origin A, responses from the wrong origin to be trusted, and HTTPS requests to be silently downgraded to HTTP. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify Node.js app using Socks5ProxyAgent

Delivery

Become first origin contacted

Exploit

Pool binds to attacker origin

Install

Victim issues request to second origin

undici dispatches over attacker connection

Execute

Capture credentials and forge response

Impact

Trusted cross-origin compromise

Recon

Identify Node.js app using Socks5ProxyAgent

Delivery

Become first origin contacted

Exploit

Pool binds to attacker origin

Install

Victim issues request to second origin

undici dispatches over attacker connection

Execute

Capture credentials and forge response

Impact

Trusted cross-origin compromise

Vulnerability AssessmentAI

Exploitation	The vulnerable application must use undici's Socks5ProxyAgent - either directly or installed globally via setGlobalDispatcher - and must issue outbound requests to more than one origin through that agent within the same process; single-origin clients and applications using other dispatchers (default Agent, ProxyAgent, HTTP CONNECT proxies) are not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The vendor CVSS of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high confidentiality and integrity impact tempered by AC:H because exploitation requires the victim application to make requests to multiple origins through one Socks5ProxyAgent - a real but non-universal configuration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An application uses Socks5ProxyAgent as its global dispatcher and first calls https://attacker.example to fetch a benign resource, then calls https://api.bank.example with an Authorization bearer token; because the pool is bound to attacker.example, the second request is dispatched over the existing connection to the attacker, leaking the token and allowing the attacker to return a forged response that the application trusts. The same path also causes a silent downgrade if the attacker terminates HTTP instead of HTTPS. …
Remediation	Vendor-released patch: upgrade undici to 7.26.0 on the 7.x line or 8.2.0 on the 8.x line, per the Node.js security advisory at https://github.com/nodejs/undici/security/advisories/GHSA-hm92-r4w5-c3mj. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all internal Node.js applications using undici 7.23.0-8.1.0 with Socks5ProxyAgent; assess criticality and data exposure. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-12151 HIGH This Week

7.5 Jun 17

Memory exhaustion denial of service in the undici WebSocket client (versions 6.17.0 and later) allows a malicious or com

CVE-2026-9675 HIGH This Week

7.5 Jun 17

Denial-of-service in the undici WebSocket client (Node.js HTTP/WebSocket library) version 8.1.0 through versions prior t

CVE-2026-9697 HIGH This Week

7.4 Jun 17

TLS pinning bypass in undici 7.23.0 through 7.27.x and 8.x prior to 8.5.0 allows network-positioned attackers to perform

CVE-2026-9678 MEDIUM This Month

5.9 Jun 17

Cache information disclosure in Undici's shared-mode cache interceptor allows a prior authenticated user's HTTP response

CVE-2026-9679 MEDIUM This Month

5.9 Jun 17

HTTP response header injection in undici's cookie parser exposes proxy, middleware, and SSR framework applications to se

CVE-2026-6734 vulnerability details – vuln.today

Back

undici CVE-2026-6734

Severity by source

CVSS VectorVendor: openjs

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code