CVE-2026-33745
Received Received - Intake
Authorization Header Exposure via Redirects in cpp-httplib HTTP Client

Publication date: 2026-03-27

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.39.0, the cpp-httplib HTTP client forwards stored Basic Auth, Bearer Token, and Digest Auth credentials to arbitrary hosts when following cross-origin HTTP redirects (301/302/307/308). A malicious or compromised server can redirect the client to an attacker-controlled host, which then receives the plaintext credentials in the `Authorization` header. Version 0.39.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33745
EUVD
EUVD-2026-16515
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yhirose cpp-httplib to 0.39.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33745 is a high-severity vulnerability in the cpp-httplib C++ HTTP client library (versions up to 0.38.0) where the client improperly forwards stored authentication credentials (Basic Auth, Bearer Token, Digest Auth) to arbitrary hosts when following cross-origin HTTP redirects (status codes 301, 302, 307, 308).

The root cause is that although the Authorization header is initially stripped when a redirect to a different origin is detected, the stored credentials are then re-attached to the new client targeting the redirected host. This causes the Authorization header to be re-injected and sent in plaintext to potentially attacker-controlled hosts.

Additionally, there is no protection against HTTPS-to-HTTP downgrade redirects, which can expose credentials originally sent over TLS in cleartext.

Impact Analysis

This vulnerability can lead to the exposure of sensitive authentication credentials to attackers. If an application using cpp-httplib follows redirects to attacker-controlled hosts, the attacker can capture plaintext credentials such as Basic Auth, Bearer Tokens (including JWTs and API keys), and Digest Auth credentials.

Attackers can exploit this by causing the client to follow malicious redirects, including through compromised servers, open redirect vulnerabilities, or man-in-the-middle attacks injecting redirects.

The lack of HTTPS-to-HTTP downgrade protection further increases risk by allowing credentials to be transmitted unencrypted.

Overall, this can result in credential theft, unauthorized access, and potential compromise of systems relying on these credentials.

Detection Guidance

This vulnerability can be detected by monitoring HTTP client traffic for Authorization headers being sent to unexpected or untrusted hosts following HTTP redirects (status codes 301, 302, 307, 308). Specifically, look for cases where Basic Auth, Bearer Token, or Digest Auth credentials are forwarded to a different origin than the original request.

Network detection can involve capturing and analyzing HTTP requests to identify Authorization headers sent after redirects to different hosts or schemes (e.g., HTTPS to HTTP).

Suggested commands include using network traffic analysis tools such as tcpdump or Wireshark to capture HTTP traffic and filter for Authorization headers and redirect status codes.

  • tcpdump -i <interface> -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'Authorization:'
  • Use Wireshark to filter HTTP traffic with the display filter: http.authorization and http.response.code == 301 or 302 or 307 or 308

Additionally, reviewing application logs or enabling verbose/debug logging in cpp-httplib clients to track redirect events and outgoing Authorization headers can help detect the vulnerability in use.

Mitigation Strategies

The immediate mitigation step is to upgrade cpp-httplib to version 0.39.0 or later, where the vulnerability is fixed by preventing authentication credentials from being copied to redirect clients targeting different origins.

If upgrading is not immediately possible, disable automatic following of redirects in the cpp-httplib client by setting `set_follow_location(false)` to prevent the client from following cross-origin redirects that leak credentials.

Avoid using authentication methods (Basic Auth, Bearer Token, Digest Auth) in combination with automatic redirect following until the fix is applied.

Additionally, monitor and block HTTPS-to-HTTP downgrade redirects, as these can expose credentials in plaintext.

Compliance Impact

This vulnerability causes leakage of authentication credentials in plaintext to attacker-controlled hosts during cross-origin HTTP redirects. Such exposure of sensitive authentication data can lead to unauthorized access and data breaches.

Because the vulnerability results in exposure of sensitive information (credentials) to unauthorized actors, it can negatively impact compliance with common standards and regulations such as GDPR and HIPAA, which require protection of sensitive data and proper access controls.

Specifically, the leakage of credentials violates principles of confidentiality and data protection mandated by these regulations, potentially leading to regulatory penalties and loss of trust.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33745. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart