CVE-2026-42551 - Vulnerability Details

- Flight: HTTP method override enabled by default enables CSRF escalation and middleware bypass in flightphp/core

Description

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP verb (including safe verbs such as GET), with no opt-in and no whitelist of permitted target methods. A GET request can silently become a DELETE or PUT, enabling CSRF escalation against destructive endpoints, bypass of middleware gated on unsafe verbs, and cache poisoning between CDN and origin. This vulnerability is fixed in 3.18.1.

Published: 2026-05-13

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Flight PHP’s Request::getMethod() blindly follows the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on every request, even safe methods like GET. This flaw lets an attacker change a GET request into a DELETE or PUT and thus carry out CSRF attacks that delete or modify resources, or bypass middleware that relies on HTTP verbs. The weakness is classified as CWE‑436 and can be exploited to cause unauthorized destructive actions.

Affected Systems

The vulnerability affects the flightphp:core micro‑framework for PHP, all releases older than version 3.18.1. Users relying on older versions of this framework are exposed and should consider upgrading before the patch is available.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, and the vulnerability is publicly listed in a GitHub advisory. Because the flaw can be triggered via any HTTP request, an attacker can exploit it from outside the network using a crafted request, without authentication. Although the EPSS score is not available, the lack of a KEV listing suggests no confirmed exploitation yet, but the attack vector remains high risk and the impact substantial.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

flightphp

core

affected

Version	Status	Constraints
`< 3.18.1`	affected	—

No data.

Vendor Product Confidence Versions

Flightphp

Core

100%

Version	Status	Scheme	Platform
`[0,3.18.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade flightphp/core to version 3.18.1 or later, which disables the DEFAULT HTTP method override.
If an immediate upgrade is not feasible, re‑implement the framework’s routing logic to ignore or whitelist X-HTTP-Method-Override and $_REQUEST['_method'] input, ensuring only explicitly allowed methods are processed.
Audit middleware and route configurations to enforce strict HTTP verb checks and apply CSRF protection where unsafe methods are required.

Generated by OpenCVE AI on May 13, 2026 at 21:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-vxrr-w42w-w76g	Flight: HTTP method override enabled by default, facilitating CSRF escalation and middleware bypass

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00012.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/flightphp/core/security/advisories/GHSA-vxrr-w42w-w76g

History

Thu, 14 May 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Flightphp Flightphp core
Vendors & Products		Flightphp Flightphp core

Thu, 14 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 13 May 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP verb (including safe verbs such as GET), with no opt-in and no whitelist of permitted target methods. A GET request can silently become a DELETE or PUT, enabling CSRF escalation against destructive endpoints, bypass of middleware gated on unsafe verbs, and cache poisoning between CDN and origin. This vulnerability is fixed in 3.18.1.
Title		Flight: HTTP method override enabled by default enables CSRF escalation and middleware bypass in flightphp/core
Weaknesses		CWE-436
References		https://github.com/flightphp/core/security/advisories/GHSA-vxrr-w42w-w76g
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

Flightphp Core

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-13T19:23:27.314Z

Updated: 2026-05-14T12:49:48.236Z

Reserved: 2026-04-28T16:56:50.191Z

Link: CVE-2026-42551

Vulnrichment

Updated: 2026-05-14T12:48:56.633Z

NVD

Status : Deferred

Published: 2026-05-13T20:16:22.190

Modified: 2026-05-14T16:51:08.300

Link: CVE-2026-42551

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T14:33:38Z

Weaknesses

CWE-436

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object