Description
An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5, when mod_proxy65 is enabled. Because mod_proxy65 mishandles access control in a paused scenario, relaying of unauthenticated traffic can occur.
Published: 2026-05-01
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in Prosody’s mod_proxy65 module allows an unauthenticated XMPP client to relay traffic to a target XMPP server without proper access control. An attacker can send requests that are forwarded to another server and cause the relayed traffic to bypass authentication. This misuse can enable the attacker to transmit or intercept data, potentially compromising confidentiality or integrity of the XMPP sessions involved.

Affected Systems

Prosody XMPP server is affected in all versions prior to 0.12.6 and in the 1.0.0 through 13.0.0 family prior to 13.0.5 when the mod_proxy65 module is enabled. Versions 0.12.6 and later or 13.0.5 and later receive the fix and are no longer vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. No EPSS score is available, so the actual exploitation probability is uncertain, and the vulnerability is not currently listed in CISA’s KEV catalog. The attack vector is remote; an unauthenticated client can target the XMPP proxy port exposed by mod_proxy65 and trigger the relay. Modest risk is obviated by prompt patching or disabling the module.

Generated by OpenCVE AI on May 2, 2026 at 07:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Prosody to 0.12.6 or newer, or to any 1.0.0‑based release past 13.0.5 that implements the fix
  • If an upgrade cannot be performed immediately, disable the mod_proxy65 module or remove it from the configuration
  • Restrict access to the XMPP proxy port to trusted hosts or require authentication before allowing traffic to be forwarded

Generated by OpenCVE AI on May 2, 2026 at 07:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 07:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated XMPP Traffic Relay via Improper mod_proxy65 Access Control

Fri, 01 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 15:00:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5, when mod_proxy65 is enabled. Because mod_proxy65 mishandles access control in a paused scenario, relaying of unauthenticated traffic can occur.
First Time appeared Prosody
Prosody prosody
Weaknesses CWE-863
CPEs cpe:2.3:a:prosody:prosody:*:*:*:*:*:*:*:*
Vendors & Products Prosody
Prosody prosody
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Prosody Prosody
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-01T15:55:23.406Z

Reserved: 2026-05-01T14:40:08.985Z

Link: CVE-2026-43504

cve-icon Vulnrichment

Updated: 2026-05-01T15:55:07.854Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:52.380

Modified: 2026-05-01T17:15:31.117

Link: CVE-2026-43504

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T07:15:16Z

Weaknesses