Description
Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger unauthorized access to internal proxy statistics or misroute requests as transparent proxy connections to circumvent access controls.
Published: 2026-06-17
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Tinyproxy versions up to 1.11.3 do not validate the Host header when checking for statistics requests, allowing an attacker to craft an HTTP request with a Host header that matches or manipulates the port used for stats detection. This can lead to unauthenticated viewing of internal proxy statistics or inappropriate routing through the proxy as a transparent proxy connection.

Affected Systems

All Tinyproxy releases through version 1.11.3, including the 1.11.x branches, are vulnerable. Versions after the commit 09312a1 that introduces proper Host header validation are considered safe.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% suggests an overall low current likelihood of exploit. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit it remotely by sending crafted HTTP requests; no authentication is required and no special privileges are needed.

Generated by OpenCVE AI on June 18, 2026 at 20:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tinyproxy to a release that incorporates the fixes introduced in commit 09312a1 or later
  • Configure the statistics endpoint to require authentication or restrict it to trusted IP ranges using firewall or proxy configuration
  • Deploy network layer filtering that blocks or rewrites HTTP requests containing anomalous Host headers until the patch is applied

Generated by OpenCVE AI on June 18, 2026 at 20:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Tinyproxy
Tinyproxy tinyproxy
Vendors & Products Tinyproxy
Tinyproxy tinyproxy

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger unauthorized access to internal proxy statistics or misroute requests as transparent proxy connections to circumvent access controls.
Title Tinyproxy - Stathost Detection Bypass via Host Header Manipulation
First Time appeared Tinyproxy Project
Tinyproxy Project tinyproxy
Weaknesses CWE-290
CPEs cpe:2.3:a:tinyproxy_project:tinyproxy:*:*:*:*:*:*:*:*
Vendors & Products Tinyproxy Project
Tinyproxy Project tinyproxy
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Tinyproxy Tinyproxy
Tinyproxy Project Tinyproxy
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-17T19:45:15.614Z

Reserved: 2026-06-16T15:53:37.764Z

Link: CVE-2026-55202

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:30:16Z

Weaknesses
  • CWE-290

    Authentication Bypass by Spoofing