CVE-2026-5119

MEDIUM

Libsoup: libsoup: information disclosure via cleartext transmission of cookies during https tunnel establishment

Title source: cna

Description

A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential session hijacking or user impersonation.

References (3)

https://gitlab.gnome.org/GNOME/libsoup/-/issues/502

[Vdb Entry, X_Refsource_Redhat] https://access.redhat.com/security/cve/CVE-2026-5119

[Issue Tracking, X_Refsource_Redhat] https://bugzilla.redhat.com/show_bug.cgi?id=2452932

Scores

CVSS v3 5.9

EPSS 0.0001

EPSS Percentile 0.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-319

Status published

Products (10)

gnome/libsoup

Red Hat/Red Hat Enterprise Linux 10

Red Hat/Red Hat Enterprise Linux 6

Red Hat/Red Hat Enterprise Linux 7

Red Hat/Red Hat Enterprise Linux 8

Red Hat/Red Hat Enterprise Linux 9

redhat/enterprise_linux 7.0

redhat/enterprise_linux 8.0

redhat/enterprise_linux 9.0

redhat/enterprise_linux 10.0

Published Mar 30, 2026

Tracked Since Mar 30, 2026