CVE-2026-39807
Deferred Deferred - Pending Action
Transport State Spoofing in Bandit HTTP Server

Publication date: 2026-05-01

Last updated on: 2026-05-05

Assigner: EEF

Description
Reliance on Untrusted Inputs in a Security Decision vulnerability in mtrudel bandit allows unauthenticated transport-state spoofing on plaintext HTTP connections. 'Elixir.Bandit.Pipeline':determine_scheme/2 in lib/bandit/pipeline.ex returns the client-supplied URI scheme verbatim, ignoring the transport's secure? flag. HTTP/1.1 absolute-form request targets (e.g. GET https://victim/path HTTP/1.1) and the HTTP/2 :scheme pseudo-header are both attacker-controlled strings that flow through this function. Over a plaintext TCP connection, a client can declare https and Bandit will set conn.scheme = :https even though no TLS was negotiated. Downstream Plug consumers that branch on conn.scheme are silently misled: Plug.SSL's already-secure branch skips its HTTP→HTTPS redirect, cookies emitted with secure: true are sent over plaintext, audit logs record requests as having arrived over HTTPS, and CSRF/SameSite gating may make incorrect decisions. This issue affects bandit: from 1.0.0 before 1.11.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39807
EUVD
EUVD-2026-26714
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mtrudel bandit From 1.0.0 (inc) to 1.11.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-807 The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the mtrudel bandit library, specifically in the function 'Elixir.Bandit.Pipeline':determine_scheme/2. The function returns the client-supplied URI scheme without verifying if the transport layer is actually secure. Attackers can exploit this by sending HTTP requests over plaintext connections but declaring the scheme as 'https'. As a result, the system mistakenly treats the connection as secure even though no TLS encryption was established.

This leads to unauthenticated transport-state spoofing, where downstream components relying on the scheme to make security decisions are misled. For example, security features like HTTP to HTTPS redirects, secure cookie flags, audit logging, and CSRF protections may be bypassed or incorrectly applied.

Impact Analysis

The vulnerability can cause your application to mistakenly treat insecure HTTP connections as secure HTTPS connections. This can lead to several security issues:

  • HTTP to HTTPS redirects may be skipped, leaving users on insecure connections.
  • Cookies marked as secure could be sent over plaintext connections, exposing them to interception.
  • Audit logs may incorrectly record requests as secure, misleading security monitoring.
  • CSRF and SameSite protections may fail or be bypassed due to incorrect assumptions about the connection security.

Overall, this can increase the risk of data interception, session hijacking, and other attacks that rely on insecure transport.

Compliance Impact

This vulnerability causes Bandit to incorrectly treat plaintext HTTP connections as secure HTTPS connections due to reliance on untrusted client-supplied URI schemes. As a result, security controls such as HTTP to HTTPS redirects, secure cookie flags, audit logging, and CSRF/SameSite protections may be bypassed or misapplied.

Such misconfigurations can lead to sensitive data being transmitted over unencrypted channels and inaccurate security logging, which may violate requirements in standards and regulations like GDPR and HIPAA that mandate protection of personal and sensitive data in transit and proper audit trails.

Detection Guidance

This vulnerability can be detected by monitoring for HTTP/1.1 absolute-form requests or HTTP/2 :scheme pseudo-headers that declare "https" over plaintext (non-TLS) connections. An example is a request line like `GET https://victim/path HTTP/1.1` sent over a plaintext TCP connection.

To detect such attempts on your network, you can capture and inspect HTTP traffic for absolute-form request targets or HTTP/2 pseudo-headers indicating "https" on non-secure connections.

  • Use tcpdump or tshark to capture HTTP traffic on the relevant port, for example: `tcpdump -A -s 0 'tcp port 80'`
  • Use tshark to filter HTTP/1.1 requests with absolute-form targets containing "https": `tshark -Y 'http.request.uri contains "https://"' -T fields -e http.request.line`
  • For HTTP/2, inspect the :scheme pseudo-header for "https" values on plaintext connections using tools that can decode HTTP/2 frames, such as Wireshark with HTTP/2 dissector enabled.

Additionally, review application logs for indications that requests are being logged as HTTPS when no TLS was negotiated, which may indicate exploitation attempts.

Mitigation Strategies

Immediate mitigation involves upgrading the Bandit web server to version 1.11.0 or later, where the vulnerability is fixed by ensuring the scheme is derived solely from the transport's security status and not from client-supplied values.

If upgrading is not immediately possible, consider restricting or disabling plaintext HTTP (non-TLS) connections to Bandit, forcing all traffic to use TLS to prevent transport-state spoofing.

Review downstream application logic that relies on `conn.scheme` for security decisions (such as Plug.SSL redirects, secure cookie flags, CSRF/SameSite policies) to ensure they do not trust the scheme without verifying transport security.

Monitor network traffic for suspicious absolute-form HTTP requests or HTTP/2 :scheme headers declaring "https" over plaintext connections as part of ongoing detection and response.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39807. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart