CVE-2026-55568
Received Received - Intake
Cleartext Transmission of Proxy Credentials in Guzzle

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, in certain configurations, traffic expected to be protected by TLS on the hop to the proxy is transmitted in cleartext. Proxy authentication credentials (the Proxy-Authorization header, proxy userinfo in the proxy URL, or CURLOPT_PROXYUSERPWD) are sent without encryption, and the CONNECT target host and port for tunneled HTTPS requests are exposed. The built-in cURL handlers (GuzzleHttp\Handler\CurlHandler and GuzzleHttp\Handler\CurlMultiHandler, used by default whenever the PHP cURL extension is available) accept an https:// proxy. libcurl older than 7.50.2 silently treats an https:// proxy as a plaintext http:// proxy. The TLS connection to the proxy is never established, and the proxy leg is cleartext with no error or warning. An application is affected when it sends requests through one of the built-in cURL handlers, configures an https:// proxy expecting the proxy connection itself to be encrypted, and runs with libcurl older than 7.50.2. This vulnerability is fixed in 7.12.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-55568
EUVD
EUVD-2026-38456
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
guzzle guzzle to 7.12.1 (exc)
curl libcurl to 7.50.2 (exc)
guzzle http_client to 7.12.1 (exc)
libcurl libcurl From 7.50.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-311 The product does not encrypt sensitive or critical information before storage or transmission.
CWE-319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
CWE-636 When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-55568 is a vulnerability in the guzzlehttp/guzzle PHP HTTP client library versions before 7.12.1. It occurs when an application uses the built-in cURL handlers with an HTTPS proxy while running on libcurl versions older than 7.50.2. These older libcurl versions do not properly support HTTPS proxies and silently downgrade the connection to plaintext HTTP without warning. As a result, sensitive data such as proxy authentication credentials and the target host and port for HTTPS requests are transmitted unencrypted.

This means that traffic expected to be protected by TLS on the hop to the proxy is instead sent in cleartext, exposing confidential information. The vulnerability is fixed in Guzzle version 7.12.1, which now checks for HTTPS-proxy support and rejects unsupported configurations upfront.

Impact Analysis

This vulnerability can lead to the exposure of sensitive information such as proxy authentication credentials and details of HTTPS requests because the traffic is transmitted in cleartext instead of being encrypted. An attacker with network access could intercept this data, leading to potential unauthorized access or information leakage.

The impact is primarily on confidentiality, as indicated by the CVSS score, which rates the confidentiality impact as high. However, exploitation requires network access and has high attack complexity.

Detection Guidance

This vulnerability can be detected by checking if your application uses Guzzle versions prior to 7.12.1 along with libcurl versions older than 7.50.2, and if it is configured to use an https:// proxy expecting TLS encryption.

To detect the vulnerability on your system, you can verify the libcurl version installed and inspect your Guzzle configuration for HTTPS proxy usage.

  • Check libcurl version: `curl --version` or `php -r "var_dump(curl_version());"`
  • Check Guzzle version in your project dependencies, for example using Composer: `composer show guzzlehttp/guzzle`
  • Review your application code or configuration for usage of HTTPS proxies with Guzzle's cURL handlers.

Network traffic analysis can also reveal if proxy authentication credentials or CONNECT target host and port are transmitted in cleartext, indicating the vulnerability is active.

Mitigation Strategies

Immediate mitigation steps include upgrading Guzzle to version 7.12.1 or later, which includes a fix that rejects HTTPS proxy configurations when the underlying libcurl does not support HTTPS proxies.

If upgrading is not immediately possible, avoid configuring Guzzle to use HTTPS proxies when running with libcurl versions older than 7.50.2.

Alternatively, upgrade libcurl to version 7.50.2 or newer, which properly supports HTTPS proxies or rejects unsupported proxy schemes.

Verify HTTPS proxy support before use to prevent silent downgrade to cleartext communication.

Compliance Impact

This vulnerability causes proxy authentication credentials and HTTPS request details to be transmitted in cleartext instead of being protected by TLS. This exposure of sensitive data can lead to confidentiality breaches.

Such exposure of sensitive information may impact compliance with data protection standards and regulations like GDPR and HIPAA, which require the protection of personal and sensitive data during transmission.

Therefore, applications affected by this vulnerability risk violating these regulations due to the potential unauthorized disclosure of confidential information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55568. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart