Description
Reliance on Untrusted Inputs in a Security Decision vulnerability in mtrudel bandit allows unauthenticated transport-state spoofing on plaintext HTTP connections.

'Elixir.Bandit.Pipeline':determine_scheme/2 in lib/bandit/pipeline.ex returns the client-supplied URI scheme verbatim, ignoring the transport's secure? flag. HTTP/1.1 absolute-form request targets (e.g. GET https://victim/path HTTP/1.1) and the HTTP/2 :scheme pseudo-header are both attacker-controlled strings that flow through this function. Over a plaintext TCP connection, a client can declare https and Bandit will set conn.scheme = :https even though no TLS was negotiated.

Downstream Plug consumers that branch on conn.scheme are silently misled: Plug.SSL's already-secure branch skips its HTTP→HTTPS redirect, cookies emitted with secure: true are sent over plaintext, audit logs record requests as having arrived over HTTPS, and CSRF/SameSite gating may make incorrect decisions.

This issue affects bandit: from 1.0.0 before 1.11.0.
Published: 2026-05-01
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Bandit incorrectly trusts client‑supplied URI schemes, ignoring whether the underlying transport is secure. This allows an attacker to forge HTTPS in a request sent over plain HTTP, causing the framework to assume a secure connection. Consequently, downstream plugs that inspect conn.scheme are misled: Plug.SSL may skip redirect, secure cookies can be sent over an unsecured channel, audit logs show HTTPS while the traffic is not encrypted, and CSRF/SameSite checks may be bypassed. The flaw is a CWE‑807 vulnerability (Incomplete Input Validation).

Affected Systems

The vulnerability exists in the bandit HTTP server package maintained by mtrudel. Versions from 1.0.0 up to but not including 1.11.0 are affected. Developers should check the installation version and update accordingly.

Risk and Exploitability

The CVSS score of 6.3 reflects a moderate to high severity. The EPSS score is unavailable, and the issue is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely over any plaintext HTTP connection by sending a request with an https scheme or an HTTP/2 :scheme header. The exploitation can lead to insecure credential handling, potential CSRF attacks, and incorrect log entries.

Generated by OpenCVE AI on May 1, 2026 at 22:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update bandit to version 1.11.0 or later, which removes the unverified scheme handling.
  • Configure the network so that Bandit receives traffic only over TLS – disable plain HTTP endpoints or enforce TLS termination before requests reach Bandit.
  • If an immediate upgrade is not possible, add a custom plug or proxy rule that rejects any request over plaintext HTTPS‑simulated schemes, ensuring that downstream logic always receives a verified secure connection.

Generated by OpenCVE AI on May 1, 2026 at 22:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Reliance on Untrusted Inputs in a Security Decision vulnerability in mtrudel bandit allows unauthenticated transport-state spoofing on plaintext HTTP connections. 'Elixir.Bandit.Pipeline':determine_scheme/2 in lib/bandit/pipeline.ex returns the client-supplied URI scheme verbatim, ignoring the transport's secure? flag. HTTP/1.1 absolute-form request targets (e.g. GET https://victim/path HTTP/1.1) and the HTTP/2 :scheme pseudo-header are both attacker-controlled strings that flow through this function. Over a plaintext TCP connection, a client can declare https and Bandit will set conn.scheme = :https even though no TLS was negotiated. Downstream Plug consumers that branch on conn.scheme are silently misled: Plug.SSL's already-secure branch skips its HTTP→HTTPS redirect, cookies emitted with secure: true are sent over plaintext, audit logs record requests as having arrived over HTTPS, and CSRF/SameSite gating may make incorrect decisions. This issue affects bandit: from 1.0.0 before 1.11.0.
Title Client-supplied URI scheme trusted without transport verification in bandit
First Time appeared Mtrudel
Mtrudel bandit
Weaknesses CWE-807
CPEs cpe:2.3:a:mtrudel:bandit:*:*:*:*:*:*:*:*
Vendors & Products Mtrudel
Mtrudel bandit
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Mtrudel Bandit
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-02T04:17:33.243Z

Reserved: 2026-04-07T12:28:54.916Z

Link: CVE-2026-39807

cve-icon Vulnrichment

Updated: 2026-05-02T01:18:06.333Z

cve-icon NVD

Status : Received

Published: 2026-05-01T21:16:17.180

Modified: 2026-05-02T02:16:00.320

Link: CVE-2026-39807

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:30:15Z

Weaknesses