CVE-2026-5119
Modified Modified - Updated After Analysis
Cleartext Session Cookie Exposure in Libsoup HTTPS Proxy Tunnels

Publication date: 2026-03-30

Last updated on: 2026-06-09

Assigner: Red Hat, Inc.

Description
A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential session hijacking or user impersonation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-06-09
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-06-14
NVD
CVE-2026-5119
EUVD
EUVD-2026-17062
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
redhat enterprise_linux 9.0
redhat enterprise_linux 10.0
gnome libsoup *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5119 is a security flaw in libsoup that occurs when establishing HTTPS tunnels through an HTTP proxy. During this process, sensitive session cookies are sent in cleartext within the initial HTTP CONNECT request.

Because these cookies are not encrypted, a network-positioned attacker or a malicious HTTP proxy can intercept them.

Intercepting these cookies can lead to session hijacking or user impersonation.

Impact Analysis

This vulnerability can allow attackers who are positioned on the network or control the HTTP proxy to intercept sensitive session cookies.

With these intercepted cookies, attackers can hijack user sessions or impersonate users, potentially gaining unauthorized access to user accounts or sensitive information.

Detection Guidance

This vulnerability can be detected by monitoring network traffic for HTTP CONNECT requests that contain sensitive session cookies transmitted in cleartext.

You can use network packet capture tools such as tcpdump or Wireshark to inspect the initial HTTP CONNECT requests sent through HTTP proxies.

  • Use tcpdump to capture traffic on the relevant network interface filtering for HTTP CONNECT requests: tcpdump -i <interface> -A 'tcp port 8080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
  • Use Wireshark to filter HTTP CONNECT requests and inspect headers for presence of cookies in cleartext.

Detection involves identifying cookies in the HTTP CONNECT request headers, which should normally not contain sensitive cookies in cleartext.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of HTTP proxies for HTTPS tunnel establishment with libsoup until a patch is applied.

Ensure that libsoup is updated to a version where this vulnerability is fixed.

If possible, configure your environment to prevent transmission of sensitive cookies in HTTP CONNECT requests or use alternative secure proxy configurations.

Monitor network traffic for suspicious activity that could indicate exploitation attempts.

Compliance Impact

The vulnerability allows sensitive session cookies to be transmitted in cleartext, which can be intercepted by attackers. This exposure of sensitive information could lead to unauthorized access and user impersonation.

Such exposure of sensitive data may violate data protection requirements in common standards and regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information during transmission.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5119. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart