CVE-2026-3099
Replay Attack Vulnerability in Libsoup Digest Authentication
Publication date: 2026-03-12
Last updated on: 2026-03-23
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | enterprise_linux | 7.0 |
| redhat | enterprise_linux | 6.0 |
| redhat | enterprise_linux | 8.0 |
| redhat | enterprise_linux | 9.0 |
| redhat | enterprise_linux | 10.0 |
| gnome | libsoup | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-323 | Nonces should be used for the present occasion and only once. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update libsoup to a version where the server-side digest authentication implementation properly tracks issued nonces and enforces incrementing nonce-count values as required by RFC 7616.
If an immediate update is not possible, consider disabling or restricting the use of Digest Authentication in libsoup-based services to prevent replay attacks.
Additionally, monitor and block repeated requests with identical Authorization headers to reduce the risk of replay attacks.
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "This vulnerability exists in libsoup's server-side digest authentication implementation, specifically in the SoupAuthDomainDigest class. The flaw is that the server does not properly track issued nonces or enforce the required incrementing nonce-count (nc) attribute as mandated by RFC 7616. Instead of verifying that each nonce-count value increases with every request, the server only checks if the nonce-count is positive and does not remember previously seen values."}, {'type': 'paragraph', 'content': 'Because of this, an attacker who captures a single valid authentication header can replay it repeatedly without being detected. The nonces are generated insecurely and lack cryptographic signing or expiration, allowing an infinite replay window. This lets the attacker bypass authentication and gain unauthorized access by impersonating a legitimate user.'}] [1]
How can this vulnerability impact me? :
This vulnerability can allow a remote attacker to bypass authentication controls by replaying a captured valid authentication header multiple times. As a result, the attacker can gain unauthorized access to protected resources and impersonate legitimate users.
- Unauthorized access to sensitive or protected data.
- Potential compromise of user accounts or sessions.
- Increased risk of data leakage or manipulation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves the reuse of a captured valid Authorization header in Digest Authentication, allowing replay attacks. To detect it on your network or system, you can monitor HTTP traffic for repeated identical Authorization headers with the same nonce and nonce-count values.'}, {'type': 'paragraph', 'content': 'Commands to help detect this include using packet capture tools like tcpdump or Wireshark to filter and analyze HTTP Digest Authentication headers.'}, {'type': 'list_item', 'content': "Use tcpdump to capture HTTP traffic on the relevant port (e.g., port 80 or 443): tcpdump -i <interface> -A -s 0 'tcp port 80 or tcp port 443'"}, {'type': 'list_item', 'content': 'In the captured traffic, look for repeated Authorization headers with identical nonce and nonce-count (nc) values.'}, {'type': 'list_item', 'content': 'Alternatively, use Wireshark to filter HTTP requests with Digest Authentication and inspect the Authorization headers for repeated nonce and nonce-count values.'}, {'type': 'paragraph', 'content': 'Repeated reuse of the same nonce and nonce-count values in Authorization headers indicates the presence of this vulnerability being exploited.'}] [1]