CVE-2026-1467
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Summary
A flaw was found in libsoup, an HTTP client library. This vulnerability, known as CRLF (Carriage Return Line Feed) Injection, occurs when an HTTP proxy is configured and the library improperly handles URL-decoded input used to create the Host header. A remote attacker can exploit this by providing a specially crafted URL containing CRLF sequences, allowing them to inject additional HTTP headers or complete HTTP request bodies. This can lead to unintended or unauthorized HTTP requests being forwarded by the proxy, potentially impacting downstream services.
Affected Software
| Vendor | Product | Version Range | Status |
|---|
Weaknesses
- CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
Workarounds
To mitigate this issue, avoid processing untrusted URLs in applications that use the libsoup library with an HTTP proxy configured. Restricting network access to the HTTP proxy can also limit potential exposure.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://access.redhat.com/security/cve/CVE-2026-1467
- https://bugzilla.redhat.com/show_bug.cgi?id=2433174
- https://gitlab.gnome.org/GNOME/libsoup/-/issues/488
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.