CVE-2026-34226
Received Received - Intake
Cookie Leakage via Improper Credentials Handling in Happy DOM

Publication date: 2026-03-27

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-03-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34226
EUVD
EUVD-2026-16893
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
capricorn86 happy_dom to 20.8.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
CWE-359 The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Happy DOM, a JavaScript implementation of a web browser without a graphical user interface. In versions prior to 20.8.9, when the fetch API is used with the option { credentials: "include" }, the code may incorrectly attach cookies from the current page origin (window.location) instead of the intended request target URL. This behavior can cause cookies from one origin (origin A) to be sent to a different destination (destination B), leading to unintended cookie leakage.

Impact Analysis

The vulnerability can lead to the leakage of cookies from one origin to another. This means sensitive session or authentication cookies intended for one website could be exposed to a different site, potentially allowing attackers to hijack sessions or gain unauthorized access to user data.

Mitigation Strategies

To mitigate this vulnerability, upgrade Happy DOM to version 20.8.9 or later, as this version fixes the issue where cookies from the current page origin could be leaked when using fetch with credentials set to "include".

Compliance Impact

This vulnerability in Happy DOM may cause cookies from one origin to be leaked to another origin when using fetch with credentials included. Such unintended cookie leakage can lead to unauthorized exposure of personal or sensitive information.

Since regulations like GDPR and HIPAA require strict controls on personal data confidentiality and integrity, this vulnerability could potentially result in non-compliance if sensitive user data is exposed due to cookie leakage.

Therefore, affected versions prior to 20.8.9 might pose a risk to compliance with these standards until the issue is fixed by upgrading to version 20.8.9 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34226. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart