Executive Summary

CVE-2026-32627 is a high-severity vulnerability in the cpp-httplib C++ HTTP/HTTPS library versions up to 0.37.1. When a cpp-httplib client is configured to use a proxy and has redirect following enabled (set_follow_location(true)), the TLS certificate and hostname verification are silently disabled on HTTPS redirects. This means the client will accept any TLS certificate presented by the redirect target—including expired, self-signed, or forged certificates—without raising any error or notifying the application.

The root cause is that when following a redirect through a proxy, the library forcibly disables server certificate and hostname verification on the new SSL connection, unlike the non-proxy path which preserves the original verification settings. Additionally, all authentication credentials are copied to the redirect client before verification is disabled, exposing sensitive data over an unverified TLS connection.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows a network attacker who can control or intercept the redirect response, proxy, or DNS resolution to fully intercept the follow-up HTTPS connection. Because TLS verification is disabled, the attacker can present any certificate and the client will accept it silently.

As a result, the attacker can read and modify all data transmitted over the connection, including sensitive credentials and session tokens. This compromises the confidentiality and integrity of the communication, potentially leading to unauthorized access, data theft, or session hijacking.

The vulnerability is particularly relevant in environments where proxies and redirects are common, such as corporate networks and IoT deployments.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability occurs when a cpp-httplib client is configured with a proxy and set_follow_location(true), causing TLS certificate and hostname verification to be silently disabled on HTTPS redirects. Detection involves identifying cpp-httplib clients using versions prior to 0.37.2 with proxy and redirect following enabled.

To detect exploitation or presence of this vulnerability on your network or system, you can monitor for HTTPS redirect responses followed by TLS connections that accept invalid certificates without errors or warnings.

Suggested commands include using network traffic analysis tools like tcpdump or Wireshark to capture and inspect HTTPS redirect flows and TLS handshakes for certificate validation failures or acceptance of self-signed/expired certificates.

• Use tcpdump to capture traffic on the relevant interface: tcpdump -i <interface> -w capture.pcap
• Analyze the capture with Wireshark to look for HTTP 3xx redirect responses followed by TLS handshakes that accept invalid certificates.
• Check application logs or enable verbose logging in cpp-httplib clients to detect if certificate verification is disabled during redirects.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade the cpp-httplib library to version 0.37.2 or later, where the vulnerability is fixed by preserving SSL verification settings when following HTTPS redirects through a proxy.

If upgrading immediately is not possible, temporarily disable the use of proxies or the set_follow_location(true) option in cpp-httplib clients to avoid triggering the vulnerable code path.

Additionally, review and monitor network traffic for suspicious redirects and TLS connections that may indicate exploitation attempts.

• Upgrade cpp-httplib to version 0.37.2 or later.
• Disable proxy configuration or set_follow_location(true) in the client until the patch is applied.
• Implement network monitoring to detect suspicious redirect and TLS handshake behavior.

Useful 0 Not Useful 0