EUVD-2026-17062
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
Lifecycle Timeline
4Description
A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential session hijacking or user impersonation.
Analysis
Libsoup transmits sensitive session cookies in cleartext within HTTP CONNECT requests when establishing HTTPS tunnels through configured HTTP proxies, allowing network-positioned attackers or malicious proxies to intercept and hijack user sessions. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10 and carries a CVSS 5.9 score with high confidentiality impact; no public exploit code or confirmed active exploitation has been identified at the time of analysis.
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Vendor Status
Debian
Bug #1132331| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 2.72.0-2 | - |
| bullseye (security) | vulnerable | 2.72.0-2+deb11u3 | - |
| bookworm | vulnerable | 2.74.3-1+deb12u1 | - |
| trixie | vulnerable | 2.74.3-10.1 | - |
| (unstable) | fixed | (unfixed) | - |
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bookworm | vulnerable | 3.2.3-0+deb12u2 | - |
| trixie | vulnerable | 3.6.5-3 | - |
| forky, sid | vulnerable | 3.6.6-1 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today