CVE-2026-32881
Authentication Bypass via Header Injection in ewe Web Server
Publication date: 2026-03-20
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vshakitskiy | ewe | to 3.0.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-183 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-32881 is a vulnerability in the Gleam web server "ewe" (versions 0.6.0 through 3.0.4) related to how it handles HTTP chunked transfer encoding trailers. The server merges declared trailer fields into the request headers after parsing the body, but it only blocks nine specific header names in its denylist. This allows a malicious client to declare sensitive headers in the Trailer field and append them after the final chunk, causing the server to overwrite legitimate header values.'}, {'type': 'paragraph', 'content': 'This flaw enables attackers to forge authentication credentials, hijack sessions, bypass IP-based rate limiting, or spoof proxy-trust headers in downstream middleware that reads headers after the body is parsed. The vulnerability arises because the denylist omits several security-sensitive headers such as authorization, cookie, set-cookie, proxy-authorization, and various x-forwarded headers.'}, {'type': 'paragraph', 'content': 'The issue was fixed in version 3.0.5 by replacing the denylist with an allowlist approach that only permits explicitly safe trailer headers, thereby preventing unauthorized trailer headers from being merged into the request.'}] [4, 3, 1]
How can this vulnerability impact me? :
This vulnerability can have several impacts on users of the affected ewe web server versions:
- Attackers can forge authentication credentials, allowing unauthorized access.
- Session hijacking is possible by injecting or overwriting session cookies.
- IP-based rate limiting can be bypassed by spoofing client IP headers.
- Proxy-trust headers can be spoofed, potentially misleading downstream middleware about the true client or proxy.
Overall, these impacts can compromise authentication middleware, session validation, and security controls relying on trusted headers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves malicious clients injecting or overwriting sensitive HTTP headers via chunked transfer encoding trailers. Detection involves monitoring HTTP requests for suspicious chunked transfer encoding usage with trailer headers that include sensitive fields such as authorization, cookie, set-cookie, proxy-authorization, x-forwarded-for, x-forwarded-host, x-forwarded-proto, or x-real-ip.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your network or system, you can inspect HTTP requests for chunked transfer encoding with trailer headers containing these sensitive fields. Network packet capture tools like tcpdump or Wireshark can be used to capture HTTP traffic, and filtering for chunked requests with Trailer headers can help identify suspicious activity.'}, {'type': 'list_item', 'content': "Use tcpdump to capture HTTP traffic on port 80 or 443 (if unencrypted): tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'"}, {'type': 'list_item', 'content': 'Use Wireshark to filter HTTP requests with chunked transfer encoding and Trailer headers by applying display filters such as: http.transfer_encoding == "chunked" and http.trailer'}, {'type': 'list_item', 'content': 'Search server logs for HTTP requests containing the "Trailer" header or suspicious header injections after the final chunk.'}, {'type': 'paragraph', 'content': 'Because the vulnerability exploits the merging of trailer headers into request headers after body parsing, monitoring for unexpected or duplicated sensitive headers in requests can also help detect attempts.'}] [4]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the ewe web server to version 3.0.5 or later, where this vulnerability has been fixed by implementing an allowlist approach for trailer headers and removing unsafe trailer header handling.
If upgrading immediately is not possible, consider implementing network-level controls to block or inspect HTTP requests with chunked transfer encoding that include suspicious Trailer headers containing sensitive fields.
Additionally, review and harden any reverse proxy or middleware that relies on headers such as authorization, cookie, and x-forwarded-for to ensure they validate and sanitize incoming headers properly.
Monitoring and alerting on unusual or unexpected header values in requests can help detect exploitation attempts early.