CVE-2026-43505
Undergoing Analysis Undergoing Analysis - In Progress
Proxy65 Relay Access Control Bypass in Prosody

Publication date: 2026-05-01

Last updated on: 2026-05-01

Assigner: MITRE

Description
An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5, when mod_proxy65 is enabled. Because mod_proxy65 mishandles access control in the activation scenario, relaying of unauthenticated traffic can occur.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-14
NVD
CVE-2026-43505
EUVD
EUVD-2026-26658
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
prosody prosody to 0.12.6 (exc)
prosody prosody From 13.0.0 (inc) to 13.0.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-420 The product protects a primary channel, but it does not use the same level of protection for an alternate channel.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

The provided resources do not include specific detection methods or commands to identify this vulnerability on a network or system.

Compliance Impact

The provided information does not specify how the vulnerability in Prosody's mod_proxy65 affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-43505 involves two vulnerabilities in the Prosody XMPP server versions prior to 13.0.5 (and 0.12.6 for the 0.12 series). One vulnerability is a Denial of Service (DoS) caused by memory exhaustion, where unauthenticated attackers can send crafted traffic to consume excessive memory due to rate limit weaknesses and resource leaks. The second vulnerability is related to the mod_proxy65 module, which mishandles access control, allowing unauthenticated users to relay traffic through the SOCKS5 proxy without authorization.

Impact Analysis

The vulnerabilities can impact you by allowing unauthenticated attackers to either cause a Denial of Service (DoS) on your Prosody server through memory exhaustion, potentially disrupting service availability, or by enabling unauthorized use of the SOCKS5 proxy (mod_proxy65) to relay traffic. This unauthorized proxy usage could be exploited to bypass network restrictions or anonymize malicious traffic.

Mitigation Strategies

To mitigate the vulnerability in Prosody related to mod_proxy65, you should upgrade to the fixed versions 0.12.6 or 13.0.5.

  • Upgrade Prosody to version 0.12.6 or 13.0.5 or later.
  • Disable the mod_proxy65 module if it is not needed.
  • Review and adjust firewall limits to restrict connection rates and reduce exposure.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43505. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart