Description
An API design flaw in WebKitGTK and WPE WebKit allows untrusted web content to unexpectedly perform IP connections, DNS lookups, and HTTP requests. Applications expect to use the
WebPage::send-request signal handler to approve or reject all network requests. However, certain types of HTTP requests bypass this signal handler.
Published: 2026-04-23
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass
Action: Patch
AI Analysis

Impact

An API design flaw in WebKitGTK and WPE WebKit, identified as CWE‑639, allows untrusted web content to make arbitrary IP connections, DNS lookups, and HTTP requests without passing through the WebPage::send‑request signal. The flaw permits the content to bypass the application's explicit approval mechanism, enabling an attacker to trigger network activity that the application was intended to control. This reduces the integrity of the network access control and can facilitate data exfiltration, phishing, or other malicious operations.

Affected Systems

This vulnerability impacts Red Hat Enterprise Linux 6 through 9, as they include affected WebKitGTK/WPE WebKit components. The precise package versions are not enumerated in the advisory, so any installation of the affected WebKitGTK build is potentially vulnerable. Systems running these distributions should verify whether their WebKitGTK libraries contain the fix.

Risk and Exploitability

The CVSS score is 4.7, indicating moderate risk, and the EPSS score is less than 1%, implying a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to supply or load malicious web content that the application renders; the flaw is likely exploitable only when the application processes untrusted pages. No remote code execution or privilege escalation is provided, so the impact is confined to unauthorized network connections.

Generated by OpenCVE AI on April 28, 2026 at 20:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest Red Hat packaged WebKitGTK that includes the CVE fix.
  • Configure the application to enforce the WebPage::send‑request signal for all outbound traffic, denying any request that bypasses this handler.
  • Place a network firewall or SELinux restriction around the application to block outgoing connections that are not explicitly approved by the app.

Generated by OpenCVE AI on April 28, 2026 at 20:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 23 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description An API design flaw in WebKitGTK and WPE WebKit allows untrusted web content to unexpectedly perform IP connections, DNS lookups, and HTTP requests. Applications expect to use the WebPage::send-request signal handler to approve or reject all network requests. However, certain types of HTTP requests bypass this signal handler.
Title Webkitgtk: authorization bypass through webpage::send-request signal handler
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-639
CPEs cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}

Subscriptions

Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-28T20:00:24.706Z

Reserved: 2025-11-26T19:02:26.116Z

Link: CVE-2025-66286

cve-icon Vulnrichment

Updated: 2026-04-23T12:48:32.279Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-23T13:16:11.007

Modified: 2026-04-24T14:50:56.203

Link: CVE-2025-66286

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-23T12:15:39Z

Links: CVE-2025-66286 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:45:16Z

Weaknesses