CVE-2026-48022
Received Received - Intake

Authorization Header Leak in @hapi/wreck via Cross-Origin Redirect

Vulnerability report for CVE-2026-48022, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

@hapi/wreck is an HTTP client utility. Prior to 18.1.2, Wreck strips credential headers including Authorization, Cookie, and Proxy-Authorization before following a cross-origin redirect, but the origin check compares hostnames only and ignores scheme and port, so credentials are forwarded intact across same-host port changes and HTTPS-to-HTTP downgrades, allowing a co-tenant on an adjacent port or a network-position attacker capable of forging a redirect to capture bearer tokens, session cookies, and proxy credentials and impersonate the victim against the upstream service. This issue is fixed in version 18.1.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
hapi wreck to 18.1.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
CWE-319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the @hapi/wreck HTTP client utility before version 18.1.2. It involves improper handling of credential headers during cross-origin redirects. The system strips headers like Authorization and Cookie before following redirects but only compares hostnames, ignoring scheme and port. This allows credentials to be sent across same-host port changes or HTTPS-to-HTTP downgrades, potentially exposing them to attackers.

Detection Guidance

This vulnerability involves improper handling of credentials during cross-origin redirects in @hapi/wreck versions before 18.1.2. To detect it, check if your application uses an affected version by inspecting package.json or running npm list @hapi/wreck. Monitor network traffic for unexpected credential exposure during redirects.

Impact Analysis

An attacker could capture sensitive credentials like bearer tokens or session cookies. This could allow them to impersonate victims against upstream services. The risk is higher if you use @hapi/wreck in environments with multiple tenants or untrusted networks where redirect forgery is possible.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data such as session cookies, bearer tokens, or proxy credentials, which may violate GDPR's data protection principles or HIPAA's safeguards for protected health information if exploited.

Mitigation Strategies

Upgrade @hapi/wreck to version 18.1.2 or later immediately. If upgrading is not possible, implement strict input validation for redirects and avoid sending sensitive credentials in URLs or headers during cross-origin requests.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48022. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart