Description
A flaw was found in libsoup, a library used by applications to send network requests. This vulnerability occurs because libsoup does not properly validate hostnames, allowing special characters to be injected into HTTP headers. A remote attacker could exploit this to perform HTTP smuggling, where they can send hidden, malicious requests alongside legitimate ones. In certain situations, this could lead to Server-Side Request Forgery (SSRF), enabling an attacker to force the server to make unauthorized requests to other internal or external systems. The impact is low, as SoupServer is not actually used in internet infrastructure.
Published: 2026-03-17
Score: 3.9 Low
EPSS: < 1% Very Low
KEV: No
Impact: Potential SSRF via malformed hostnames leading to HTTP smuggling
Action: Apply Patch
AI Analysis

Impact

This flaw resides in the libsoup networking library used by applications to send HTTP requests. Because the library fails to validate hostnames, attackers can embed special characters in the Host header. The injected characters allow HTTP request smuggling, where one request is hidden within another. In some configurations, the injection can also trigger Server‑Side Request Forgery, forcing the server to issue requests to internal or external endpoints that the attacker controls. Although the root cause is low severity, the consequence is that a remote attacker could make the target server fetch or interact with unintended resources, potentially exposing sensitive data or triggering downstream vulnerabilities.

Affected Systems

Red Hat Enterprise Linux distributions 6, 7, 8, 9 and 10 are listed as affected. The vulnerability also applies to the GNOME libsoup library, which is part of the infrastructure of these operating systems. Specific vulnerable package versions are not enumerated in the advisory, so all current installations of libsoup on these RHEL releases should be considered at risk pending further detail.

Risk and Exploitability

The CVSS score of 3.9 indicates low severity, and the EPSS score is under 1 percent, suggesting a small likelihood of exploitation as of the data snapshot. The vulnerability is not present in CISA’s KEV catalog. The likely attack vector is remote network‑based, where an attacker sends a crafted HTTP request to an application using libsoup. If the application runs with elevated privileges or communicates with internal services, the attacker could use the SSRF capability to access those resources. While the vulnerability alone does not grant arbitrary code execution, its misuse could provide a foothold for further lateral movement or data exfiltration.

Generated by OpenCVE AI on April 16, 2026 at 02:45 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

  • Apply the latest Red Hat Enterprise Linux update that includes the fixed libsoup package as soon as it becomes available.
  • Upgrade the libsoup library to a version that incorporates the hostname validation fix, for example by installing the latest GNOME libSoup release from the distribution’s package manager.
  • Mitigate the SSRF risk by restricting the application’s outbound HTTP traffic to only the domains it explicitly requires, using firewall rules or a reverse‑proxy that blocks unintended requests.

Generated by OpenCVE AI on April 16, 2026 at 02:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Gnome
Gnome libsoup
CPEs cpe:2.3:a:gnome:libsoup:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
Vendors & Products Gnome
Gnome libsoup

Tue, 17 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A flaw was found in libsoup, a library used by applications to send network requests. This vulnerability occurs because libsoup does not properly validate hostnames, allowing special characters to be injected into HTTP headers. A remote attacker could exploit this to perform HTTP smuggling, where they can send hidden, malicious requests alongside legitimate ones. In certain situations, this could lead to Server-Side Request Forgery (SSRF), enabling an attacker to force the server to make unauthorized requests to other internal or external systems. The impact is low, as SoupServer is not actually used in internet infrastructure.
Title libsoup: libsoup: HTTP Smuggling and Server-Side Request Forgery via Malformed Hostnames Libsoup: libsoup: http smuggling and server-side request forgery via malformed hostnames
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Libsoup
Libsoup libsoup
Vendors & Products Libsoup
Libsoup libsoup

Fri, 06 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title libsoup: libsoup: HTTP Smuggling and Server-Side Request Forgery via Malformed Hostnames
Weaknesses CWE-1286
References
Metrics threat_severity

None

 cvssV3_1

{'score': 3.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L'}

threat_severity

Low

Subscriptions

Gnome Libsoup
Libsoup Libsoup
Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-03-19T20:56:56.070Z

Reserved: 2026-03-06T07:51:17.978Z

Link: CVE-2026-3632

cve-icon Vulnrichment

Updated: 2026-03-17T13:02:02.916Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T10:16:00.297

Modified: 2026-03-19T19:56:43.170

Link: CVE-2026-3632

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-06T05:05:00Z

Links: CVE-2026-3632 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:00:09Z

Weaknesses