CVE-2026-5119
Cleartext Session Cookie Exposure in Libsoup HTTPS Proxy Tunnels
Publication date: 2026-03-30
Last updated on: 2026-05-06
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | enterprise_linux | 7.0 |
| redhat | enterprise_linux | 8.0 |
| redhat | enterprise_linux | 9.0 |
| redhat | enterprise_linux | 10.0 |
| gnome | libsoup | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-319 | The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows sensitive session cookies to be transmitted in cleartext, which can be intercepted by attackers. This exposure of sensitive information could lead to unauthorized access and user impersonation.
Such exposure of sensitive data may violate data protection requirements in common standards and regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information during transmission.
Can you explain this vulnerability to me?
CVE-2026-5119 is a security flaw in libsoup that occurs when establishing HTTPS tunnels through an HTTP proxy. During this process, sensitive session cookies are sent in cleartext within the initial HTTP CONNECT request.
Because these cookies are not encrypted, a network-positioned attacker or a malicious HTTP proxy can intercept them.
Intercepting these cookies can lead to session hijacking or user impersonation.
How can this vulnerability impact me? :
This vulnerability can allow attackers who are positioned on the network or control the HTTP proxy to intercept sensitive session cookies.
With these intercepted cookies, attackers can hijack user sessions or impersonate users, potentially gaining unauthorized access to user accounts or sensitive information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic for HTTP CONNECT requests that contain sensitive session cookies transmitted in cleartext.
You can use network packet capture tools such as tcpdump or Wireshark to inspect the initial HTTP CONNECT requests sent through HTTP proxies.
- Use tcpdump to capture traffic on the relevant network interface filtering for HTTP CONNECT requests: tcpdump -i <interface> -A 'tcp port 8080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
- Use Wireshark to filter HTTP CONNECT requests and inspect headers for presence of cookies in cleartext.
Detection involves identifying cookies in the HTTP CONNECT request headers, which should normally not contain sensitive cookies in cleartext.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of HTTP proxies for HTTPS tunnel establishment with libsoup until a patch is applied.
Ensure that libsoup is updated to a version where this vulnerability is fixed.
If possible, configure your environment to prevent transmission of sensitive cookies in HTTP CONNECT requests or use alternative secure proxy configurations.
Monitor network traffic for suspicious activity that could indicate exploitation attempts.