CVE-2026-9678
Received Received - Intake
BaseFortify

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: openjs

Description
Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding whitespace, so later comparisons against the literal authorization field name fail and the response is stored. In shared-cache mode, this allows a response containing one user's authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key. Affected applications are those that explicitly enable the cache interceptor (interceptors.cache()) in shared mode, forward Authorization headers upstream, and receive cacheable responses with non-canonical qualified private or no-cache directives. Patches: Upgrade to undici v7.28.0 or v8.5.0. Workarounds: If upgrade is not immediately possible, disable shared-cache mode for traffic that includes Authorization headers, avoid caching responses to authenticated requests, or add Vary: Authorization upstream.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-9678
EUVD
EUVD-2026-37766
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
nodejs undici 7.0.0
nodejs undici 7.27.0
nodejs undici 8.0.0
nodejs undici 8.4.0
nodejs undici From 7.28.0 (inc)
nodejs undici From 8.5.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-524 The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in Undici's cache interceptor when it incorrectly classifies some HTTP responses as cacheable due to whitespace-padded field names in the Cache-Control header, such as private=" authorization" or no-cache=" authorization". The parser preserves the whitespace, causing it to fail to recognize these fields properly. As a result, responses that should not be cached are stored in the cache.

In shared-cache mode, this flaw allows a response containing one user's authenticated data to be served from the cache to another user, including unauthenticated users, if both requests share the same cache key.

The vulnerability affects applications that enable the cache interceptor in shared mode, forward Authorization headers upstream, and receive cacheable responses with non-standard whitespace-padded private or no-cache directives.

Impact Analysis

This vulnerability can lead to cross-user information disclosure by serving authenticated data from one user to another user, including unauthenticated users, due to improper caching.

Specifically, sensitive information intended for one user could be exposed to others if the application uses shared-cache mode with the affected Undici versions and the described cache-control headers.

This compromises confidentiality but does not affect integrity or availability.

Mitigation Strategies

To mitigate this vulnerability immediately, you should upgrade to undici version 7.28.0 or 8.5.0.

If upgrading is not immediately possible, consider the following workarounds:

  • Disable shared-cache mode for traffic that includes Authorization headers.
  • Avoid caching responses to authenticated requests.
  • Add the header 'Vary: Authorization' upstream to prevent improper caching.
Compliance Impact

This vulnerability allows unauthorized access to cached authenticated user data by serving one user's sensitive information to another user, including unauthenticated callers. Such unintended disclosure of sensitive information can lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over the confidentiality and privacy of personal and health-related data.

Specifically, the issue arises when the cache interceptor incorrectly caches responses containing sensitive authorization data due to improper handling of Cache-Control headers with whitespace-padded directives. This can result in cross-user information disclosure, undermining compliance requirements for data confidentiality and access controls.

Mitigations such as upgrading to fixed versions, disabling shared-cache mode for authorized traffic, or adding appropriate cache control headers are necessary to maintain compliance with these standards.

Detection Guidance

This vulnerability involves incorrect caching behavior in undici's cache interceptor when Cache-Control headers contain whitespace-padded private or no-cache directives. Detection involves identifying if your system uses vulnerable undici versions (7.0.0 through 7.27.0 or 8.0.0 through 8.4.0) with shared-cache mode enabled and forwarding Authorization headers upstream.

To detect potential exploitation or presence of this vulnerability on your network or system, you can:

  • Check the version of undici in use to confirm if it is within the vulnerable range.
  • Inspect HTTP response headers for Cache-Control directives that include whitespace-padded private or no-cache fields, such as "private=" authorization"" or "no-cache="\tauthorization"".
  • Monitor cache hits for responses that should not be cached, especially those involving Authorization headers.

Example commands to assist detection:

  • Use curl or similar tools to inspect Cache-Control headers in responses: curl -I https://your.service/endpoint | grep -i Cache-Control
  • Use network traffic analysis tools (e.g., tcpdump, Wireshark) to capture and analyze HTTP headers for suspicious Cache-Control directives.
  • Check your application's package.json or dependency lock files to identify the undici version: grep undici package.json package-lock.json yarn.lock
  • Review application logs or cache logs for unexpected cache hits on authenticated requests.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9678. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart