Skip to main content

LWP::UserAgent EUVDEUVD-2026-29492

| CVE-2026-8368 MEDIUM
Insufficiently Protected Credentials (CWE-522)
2026-05-12 CPANSec GHSA-39wp-j2gg-h44j
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Source Code Evidence Fetched
May 19, 2026 - 20:34 vuln.today
Analysis Generated
May 19, 2026 - 20:34 vuln.today
CVSS changed
May 19, 2026 - 18:22 NVD
6.5 (MEDIUM)
CVE Published
May 12, 2026 - 14:01 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects.

On a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are sent unchanged to the redirect target, including across scheme, host, or port changes.

A redirect to an attacker controlled host therefore discloses the caller's credentials to that host.

AnalysisAI

Credential leakage in LWP::UserAgent before 6.83 (Perl) exposes Authorization and Proxy-Authorization headers to attacker-controlled redirect targets across cross-origin 3xx redirects. The library's redirect handler stripped only Host and Cookie on follow-up requests, leaving credential headers intact even when the redirect crossed a scheme, host, or port boundary. Authenticated Perl HTTP clients - including server-side applications, crawlers, API integrators, and automation tooling - are affected whenever caller-supplied credentials are passed to a UserAgent instance that can be redirected. No public exploit has been independently confirmed beyond the proof-of-concept submitted with the vulnerability report, and CISA KEV does not list this CVE; however, the exploitation pattern is straightforward and mirrors a well-documented class of credential-leakage flaws in HTTP client libraries.

Technical ContextAI

LWP::UserAgent (libwww-perl) is the de facto standard HTTP client library for Perl, widely used in CPAN modules, CGI scripts, API clients, and automation pipelines. The affected code path is the redirect handler in LWP/UserAgent.pm, which clones the original request and re-submits it to the redirect location. Prior to 6.83, this clone preserved all caller-supplied headers - including Authorization and Proxy-Authorization - regardless of whether the redirect destination shared the same scheme, host, or port as the original request. CWE-522 (Insufficiently Protected Credentials) captures the root cause: credentials transmitted by the library were not adequately scoped to the intended recipient. The fix (commit 9c4aeb6f) mirrors the remediation approach taken for libcurl CVE-2018-1000007, explicitly stripping the two credential headers when the new URI differs in scheme, host, or port. The patch also introduces an opt-out constructor parameter, allow_credentialed_redirects => 1, for callers that intentionally rely on cross-origin credential forwarding. CPE data identifies the affected product as cpe:2.3:a:oalders:lwp::useragent:*:*:*:*:*:*:*:*, covering all versions preceding 6.83.

RemediationAI

The primary fix is upgrading to libwww-perl 6.83 or later, which automatically strips Authorization and Proxy-Authorization headers on cross-origin 3xx redirects (different scheme, host, or port). The patched release is available on CPAN; the changelog is at https://metacpan.org/release/OALDERS/libwww-perl-6.83/changes and the upstream fix commit is at https://github.com/libwww-perl/libwww-perl/commit/9c4aeb6f2dd32f2b7eaf2d7827cade31ea6cb2c6.patch. Callers who legitimately require cross-origin credential forwarding can opt out by instantiating the agent with allow_credentialed_redirects => 1, but this should be applied only to cases where the redirect target is fully trusted. As a compensating control prior to patching, callers can disable automatic redirect following (max_redirect => 0) and handle 3xx responses manually, stripping credential headers before re-issuing the request; the trade-off is that redirect logic must be implemented in application code, increasing maintenance burden. Alternatively, callers can set requests_redirectable => [] to prevent any method from being auto-redirected. Neither workaround is needed once 6.83 is installed.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Affected

Share

EUVD-2026-29492 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy