CVE Catalog

CVE-2026-5119

MediumCVSS 5.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.02%

4th percentile - higher than 4% of all known CVEs

Summary

A flaw was found in libsoup that allows sensitive session cookies to be transmitted in cleartext during the establishment of HTTPS tunnels through a configured HTTP proxy. Attackers can intercept these cookies, leading to potential session hijacking or user impersonation.

Risk Assessment

The organization is at risk of session hijacking, which can lead to unauthorized access to user data and resources. Attackers may exploit these cookies to impersonate users.

Recommendation

It is recommended to configure libsoup to avoid transmitting sensitive data in cleartext and to consider using more secure tunneling methods. Additionally, networks should be monitored and secured against malicious proxies.

Original NVD description (English source)

A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential session hijacking or user impersonation.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS