CVE-2026-5119

MEDIUM

Libsoup: libsoup: information disclosure via cleartext transmission of cookies during https tunnel establishment

Title source: cna

Description

A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential session hijacking or user impersonation.

References (17)

Core 17

Core References

Vendor Advisory vendor-advisory x_refsource_redhat

RHSA-2026:22710

https://access.redhat.com/errata/RHSA-2026:22710

Vendor Advisory vendor-advisory x_refsource_redhat

RHSA-2026:22716

https://access.redhat.com/errata/RHSA-2026:22716

Vendor Advisory vendor-advisory x_refsource_redhat

RHSA-2026:24344

https://access.redhat.com/errata/RHSA-2026:24344

Vendor Advisory vendor-advisory x_refsource_redhat

RHSA-2026:22323

https://access.redhat.com/errata/RHSA-2026:22323

Vendor Advisory vendor-advisory x_refsource_redhat

RHSA-2026:24722

https://access.redhat.com/errata/RHSA-2026:24722

https://gitlab.gnome.org/GNOME/libsoup/-/issues/502

Vendor Advisory vendor-advisory x_refsource_redhat

RHSA-2026:13978

https://access.redhat.com/errata/RHSA-2026:13978

Vendor Advisory vendor-advisory x_refsource_redhat

RHSA-2026:14087

https://access.redhat.com/errata/RHSA-2026:14087

Vdb Entry, X_Refsource_Redhat vdb-entry x_refsource_redhat

https://access.redhat.com/security/cve/CVE-2026-5119

Issue Tracking, X_Refsource_Redhat issue-tracking x_refsource_redhat

RHBZ#2452932

https://bugzilla.redhat.com/show_bug.cgi?id=2452932

Vendor Advisory vendor-advisory x_refsource_redhat

RHSA-2026:15968

https://access.redhat.com/errata/RHSA-2026:15968

Vendor Advisory vendor-advisory x_refsource_redhat

RHSA-2026:17482

https://access.redhat.com/errata/RHSA-2026:17482

Vendor Advisory vendor-advisory x_refsource_redhat

RHSA-2026:19143

https://access.redhat.com/errata/RHSA-2026:19143

Vendor Advisory vendor-advisory x_refsource_redhat

RHSA-2026:19356

https://access.redhat.com/errata/RHSA-2026:19356

Vendor Advisory vendor-advisory x_refsource_redhat

RHSA-2026:21686

https://access.redhat.com/errata/RHSA-2026:21686

Vendor Advisory vendor-advisory x_refsource_redhat

RHSA-2026:22316

https://access.redhat.com/errata/RHSA-2026:22316

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2026:22317

Scores

CVSS v3 5.9

EPSS 0.0025

EPSS Percentile 16.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-319

Status published

Products (27)

gnome/libsoup

Red Hat/Red Hat Enterprise Linux 10

Red Hat/Red Hat Enterprise Linux 10 0:3.6.5-3.el10_1.11

Red Hat/Red Hat Enterprise Linux 10 0:3.6.5-3.el10_2.11

Red Hat/Red Hat Enterprise Linux 10.0 Extended Update Support 0:3.6.5-3.el10_0.15

Red Hat/Red Hat Enterprise Linux 6

Red Hat/Red Hat Enterprise Linux 7

Red Hat/Red Hat Enterprise Linux 7 Extended Lifecycle Support 0:2.62.2-12.el7_9

Red Hat/Red Hat Enterprise Linux 8

Red Hat/Red Hat Enterprise Linux 8 0:2.62.3-14.el8_10

... and 17 more

Published Mar 30, 2026

Tracked Since Mar 30, 2026