CVE-2026-34226
Modified Modified - Updated After Analysis

Cookie Leakage via Improper Credentials Handling in Happy DOM

Vulnerability report for CVE-2026-34226, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-27

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-27
Last Modified
2026-06-30
Generated
2026-07-06
AI Q&A
2026-03-28
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
capricorn86 happy_dom to 20.8.9 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
CWE-201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Happy DOM, a JavaScript implementation of a web browser without a graphical user interface. In versions prior to 20.8.9, when the fetch API is used with the option { credentials: "include" }, the code may incorrectly attach cookies from the current page origin (window.location) instead of the intended request target URL. This behavior can cause cookies from one origin (origin A) to be sent to a different destination (destination B), leading to unintended cookie leakage.

Impact Analysis

The vulnerability can lead to the leakage of cookies from one origin to another. This means sensitive session or authentication cookies intended for one website could be exposed to a different site, potentially allowing attackers to hijack sessions or gain unauthorized access to user data.

Mitigation Strategies

To mitigate this vulnerability, upgrade Happy DOM to version 20.8.9 or later, as this version fixes the issue where cookies from the current page origin could be leaked when using fetch with credentials set to "include".

Compliance Impact

This vulnerability in Happy DOM may cause cookies from one origin to be leaked to another origin when using fetch with credentials included. Such unintended cookie leakage can lead to unauthorized exposure of personal or sensitive information.

Since regulations like GDPR and HIPAA require strict controls on personal data confidentiality and integrity, this vulnerability could potentially result in non-compliance if sensitive user data is exposed due to cookie leakage.

Therefore, affected versions prior to 20.8.9 might pose a risk to compliance with these standards until the issue is fixed by upgrading to version 20.8.9 or later.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34226. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart