CVE-2026-39807
Transport State Spoofing in Bandit HTTP Server
Publication date: 2026-05-01
Last updated on: 2026-05-05
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mtrudel | bandit | From 1.0.0 (inc) to 1.11.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-807 | The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the mtrudel bandit library, specifically in the function 'Elixir.Bandit.Pipeline':determine_scheme/2. The function returns the client-supplied URI scheme without verifying if the transport layer is actually secure. Attackers can exploit this by sending HTTP requests over plaintext connections but declaring the scheme as 'https'. As a result, the system mistakenly treats the connection as secure even though no TLS encryption was established.
This leads to unauthenticated transport-state spoofing, where downstream components relying on the scheme to make security decisions are misled. For example, security features like HTTP to HTTPS redirects, secure cookie flags, audit logging, and CSRF protections may be bypassed or incorrectly applied.
How can this vulnerability impact me? :
The vulnerability can cause your application to mistakenly treat insecure HTTP connections as secure HTTPS connections. This can lead to several security issues:
- HTTP to HTTPS redirects may be skipped, leaving users on insecure connections.
- Cookies marked as secure could be sent over plaintext connections, exposing them to interception.
- Audit logs may incorrectly record requests as secure, misleading security monitoring.
- CSRF and SameSite protections may fail or be bypassed due to incorrect assumptions about the connection security.
Overall, this can increase the risk of data interception, session hijacking, and other attacks that rely on insecure transport.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes Bandit to incorrectly treat plaintext HTTP connections as secure HTTPS connections due to reliance on untrusted client-supplied URI schemes. As a result, security controls such as HTTP to HTTPS redirects, secure cookie flags, audit logging, and CSRF/SameSite protections may be bypassed or misapplied.
Such misconfigurations can lead to sensitive data being transmitted over unencrypted channels and inaccurate security logging, which may violate requirements in standards and regulations like GDPR and HIPAA that mandate protection of personal and sensitive data in transit and proper audit trails.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for HTTP/1.1 absolute-form requests or HTTP/2 :scheme pseudo-headers that declare "https" over plaintext (non-TLS) connections. An example is a request line like `GET https://victim/path HTTP/1.1` sent over a plaintext TCP connection.
To detect such attempts on your network, you can capture and inspect HTTP traffic for absolute-form request targets or HTTP/2 pseudo-headers indicating "https" on non-secure connections.
- Use tcpdump or tshark to capture HTTP traffic on the relevant port, for example: `tcpdump -A -s 0 'tcp port 80'`
- Use tshark to filter HTTP/1.1 requests with absolute-form targets containing "https": `tshark -Y 'http.request.uri contains "https://"' -T fields -e http.request.line`
- For HTTP/2, inspect the :scheme pseudo-header for "https" values on plaintext connections using tools that can decode HTTP/2 frames, such as Wireshark with HTTP/2 dissector enabled.
Additionally, review application logs for indications that requests are being logged as HTTPS when no TLS was negotiated, which may indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves upgrading the Bandit web server to version 1.11.0 or later, where the vulnerability is fixed by ensuring the scheme is derived solely from the transport's security status and not from client-supplied values.
If upgrading is not immediately possible, consider restricting or disabling plaintext HTTP (non-TLS) connections to Bandit, forcing all traffic to use TLS to prevent transport-state spoofing.
Review downstream application logic that relies on `conn.scheme` for security decisions (such as Plug.SSL redirects, secure cookie flags, CSRF/SameSite policies) to ensure they do not trust the scheme without verifying transport security.
Monitor network traffic for suspicious absolute-form HTTP requests or HTTP/2 :scheme headers declaring "https" over plaintext connections as part of ongoing detection and response.