Vulnerability Details CVE-2026-5119
A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential session hijacking or user impersonation.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 16.5%
CVSS Severity
CVSS v3 Score 5.9
References
- https://access.redhat.com/errata/RHSA-2026:13978
- https://access.redhat.com/errata/RHSA-2026:14087
- https://access.redhat.com/errata/RHSA-2026:15968
- https://access.redhat.com/errata/RHSA-2026:17482
- https://access.redhat.com/errata/RHSA-2026:19143
- https://access.redhat.com/errata/RHSA-2026:19356
- https://access.redhat.com/errata/RHSA-2026:21686
- https://access.redhat.com/errata/RHSA-2026:22316
- https://access.redhat.com/errata/RHSA-2026:22317
- https://access.redhat.com/errata/RHSA-2026:22323
- https://access.redhat.com/errata/RHSA-2026:22710
- https://access.redhat.com/errata/RHSA-2026:22716
- https://access.redhat.com/errata/RHSA-2026:24344
- https://access.redhat.com/errata/RHSA-2026:24722
- https://access.redhat.com/security/cve/CVE-2026-5119
- https://bugzilla.redhat.com/show_bug.cgi?id=2452932
- https://gitlab.gnome.org/GNOME/libsoup/-/issues/502
Products affected by CVE-2026-5119
-
cpe:2.3:a:gnome:libsoup:-
-
cpe:2.3:o:redhat:enterprise_linux:10.0
-
cpe:2.3:o:redhat:enterprise_linux:7.0
-
cpe:2.3:o:redhat:enterprise_linux:8.0
-
cpe:2.3:o:redhat:enterprise_linux:9.0