CVE-2026-1539
moderate-risk
Published 2026-01-28
A flaw was found in the libsoup HTTP library that can cause proxy authentication credentials to be sent to unintended destinations. When handling HTTP redirects, libsoup removes the Authorization header but does not remove the Proxy-Authorization header if the request is redirected to a different host. As a result, sensitive proxy credentials may be leaked to third-party servers. Applications using libsoup for HTTP communication may unintentionally expose proxy authentication data.
Do I need to act?
-
0.06% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.8/10
Medium
NETWORK
/ LOW complexity
Affected Products (6)
References (2)
Third Party Advisory
https://access.redhat.com/security/cve/CVE-2026-1539
Issue Tracking
https://gitlab.gnome.org/GNOME/libsoup/-/issues/489
35
/ 100
moderate-risk
Severity
22/34 · High
Exploitability
0/34 · Minimal
Exposure
13/34 · Low