CVE-2026-59180
Received Received - Intake

Apprise HTTP Redirect Credential Exposure Vulnerability

Vulnerability report for CVE-2026-59180, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Apprise is an open source library which allows you to send a notification to almost all of the most popular notification services available. Prior to 1.11.0, Apprise HTTP-based notification plugins and HTTP attachment and config loaders in apprise/attachment/http.py and apprise/config/http.py follow HTTP redirects by default and resend user-configured auth headers and query parameters on the redirected request, allowing a compromised trusted destination or on-path attacker to receive secrets such as Authorization headers, bearer tokens, custom headers, and service keys. This issue is fixed in version 1.11.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
apprise apprise 1.11.0
caronc apprise to 1.10.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in Apprise allows sensitive authentication tokens, API keys, and custom headers to be exposed to an attacker who can manipulate HTTP redirects. This exposure of secrets could potentially lead to unauthorized access to personal or protected data.

Such unauthorized disclosure of sensitive information may impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding of personal and sensitive data against unauthorized access or disclosure.

However, the CVSS score is low (3.1), and exploitation requires network access or compromise of a trusted destination, limiting the scope of impact.

To mitigate this risk and maintain compliance, users are advised to upgrade to Apprise version 1.11.0 or later, which includes controls to disable HTTP redirects and prevent leakage of sensitive headers.

Executive Summary

CVE-2026-59180 is a security vulnerability in the Apprise notification library versions up to 1.10.0. The issue arises because HTTP-based notification plugins and HTTP attachment/config loaders follow HTTP redirects (3xx responses) by default and resend user-configured authentication headers and query parameters to the redirected host.

This behavior allows an attacker who can compromise a trusted destination or perform a man-in-the-middle attack to intercept sensitive information such as Authorization headers, bearer tokens, custom headers, and service keys by redirecting the request to an arbitrary host.

The vulnerability was fixed in version 1.11.0 by introducing a redirect control parameter and a global setting to disable redirects, preventing automatic forwarding of sensitive credentials to untrusted destinations.

Impact Analysis

This vulnerability can lead to the exposure of sensitive authentication tokens, API keys, and custom headers if an attacker manages to compromise a trusted destination or intercept network traffic.

An attacker can exploit HTTP redirects to redirect requests to a malicious host and capture these secrets, potentially leading to unauthorized access or misuse of notification services.

However, the CVSS score is 3.1 (Low), indicating that exploitation requires network access or compromise of a trusted destination and results only in partial confidentiality loss for a single user secret per redirected request.

Detection Guidance

This vulnerability involves HTTP-based notification plugins and loaders in Apprise following HTTP 3xx redirects by default and resending sensitive authentication headers and query parameters to redirected hosts. Detection involves monitoring network traffic for unexpected HTTP 3xx redirect responses and subsequent requests that resend authentication headers or tokens to untrusted or unexpected destinations.

You can detect potential exploitation by capturing and analyzing HTTP traffic from Apprise clients to identify if Authorization headers or bearer tokens are being sent to redirected URLs. Tools like tcpdump or Wireshark can be used for this purpose.

  • Use tcpdump to capture HTTP traffic on the relevant interface: tcpdump -i <interface> -A 'tcp port 80 or 443'
  • Use Wireshark to filter HTTP requests and look for 3xx redirect responses followed by requests containing Authorization headers or tokens.
  • Check Apprise configuration or logs for URLs that include unexpected redirect parameters or unusual destinations.
Mitigation Strategies

The primary mitigation step is to upgrade Apprise to version 1.11.0 or later, where this vulnerability is fixed.

If upgrading immediately is not possible, you can disable HTTP redirect following in Apprise by using the new configuration options introduced in the fix.

  • Set the global `http_redirects` flag in the `AppriseAsset` class to `False` to disable redirects across all plugins.
  • Alternatively, append the URL parameter `?redirect=no` to individual Apprise URLs to prevent following redirects on a per-URL basis.

These steps prevent Apprise from following HTTP 3xx redirects and resending sensitive authentication headers to potentially untrusted or malicious destinations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59180. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart