Description
Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, in certain configurations, traffic expected to be protected by TLS on the hop to the proxy is transmitted in cleartext. Proxy authentication credentials (the Proxy-Authorization header, proxy userinfo in the proxy URL, or CURLOPT_PROXYUSERPWD) are sent without encryption, and the CONNECT target host and port for tunneled HTTPS requests are exposed. The built-in cURL handlers (GuzzleHttp\Handler\CurlHandler and GuzzleHttp\Handler\CurlMultiHandler, used by default whenever the PHP cURL extension is available) accept an https:// proxy. libcurl older than 7.50.2 silently treats an https:// proxy as a plaintext http:// proxy. The TLS connection to the proxy is never established, and the proxy leg is cleartext with no error or warning. An application is affected when it sends requests through one of the built-in cURL handlers, configures an https:// proxy expecting the proxy connection itself to be encrypted, and runs with libcurl older than 7.50.2. This vulnerability is fixed in 7.12.1.
Published: 2026-06-23
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Guzzle is a PHP HTTP client. Versions earlier than 7.12.1 can incorrectly handle https:// proxies when the underlying libcurl is older than 7.50.2, resulting in a silent downgrade to plain HTTP. This leads to the transmission of proxy credentials and CONNECT headers in cleartext, exposing authentication data and connection details. The weakness is a cryptographic confidentiality flaw (CWE-311, CWE-319) and a protocol downgrade issue (CWE-636). The impact is the disclosure of sensitive credentials and connection details, but it does not enable code execution or denial‑of‑service.

Affected Systems

The issue affects PHP applications using guzzle:guzzle versions prior to 7.12.1, configured with the default cURL handlers and an https:// proxy, when the running libcurl library is older than 7.50.2. If these conditions are met, the client will send credentials and CONNECT requests unencrypted to the proxy.

Risk and Exploitability

The CVSS score of 5.9 shows moderate severity. No EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog. An attacker positioned on the network path between the client and the proxy could observe the cleartext Proxy-Authorization header and CONNECT request, thereby stealing credentials and monitoring the request destination. The vulnerability does not provide a direct code‑execution or denial‑of‑service vector; it primarily enables credential and traffic disclosure.

Generated by OpenCVE AI on June 24, 2026 at 11:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade guzzle:guzzle to 7.12.1 or later to eliminate the cryptographic downgrade flaw associated with CWE-311, CWE-319, and CWE-636.
  • Update the libcurl library to version 7.50.2 or newer so that https:// proxies are correctly negotiated over TLS.
  • If an upgrade cannot be performed immediately, reconfigure the proxy URL to use plain http:// or disable proxy usage to prevent exposure of encrypted credentials over a cleartext connection.

Generated by OpenCVE AI on June 24, 2026 at 11:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wpwq-4j6v-78m3 guzzlehttp/guzzle: Silent HTTPS-Proxy Downgrade to Cleartext
History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Guzzlephp
Guzzlephp guzzle
Vendors & Products Guzzlephp
Guzzlephp guzzle

Tue, 23 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, in certain configurations, traffic expected to be protected by TLS on the hop to the proxy is transmitted in cleartext. Proxy authentication credentials (the Proxy-Authorization header, proxy userinfo in the proxy URL, or CURLOPT_PROXYUSERPWD) are sent without encryption, and the CONNECT target host and port for tunneled HTTPS requests are exposed. The built-in cURL handlers (GuzzleHttp\Handler\CurlHandler and GuzzleHttp\Handler\CurlMultiHandler, used by default whenever the PHP cURL extension is available) accept an https:// proxy. libcurl older than 7.50.2 silently treats an https:// proxy as a plaintext http:// proxy. The TLS connection to the proxy is never established, and the proxy leg is cleartext with no error or warning. An application is affected when it sends requests through one of the built-in cURL handlers, configures an https:// proxy expecting the proxy connection itself to be encrypted, and runs with libcurl older than 7.50.2. This vulnerability is fixed in 7.12.1.
Title Guzzle: Silent HTTPS-Proxy Downgrade to Cleartext
Weaknesses CWE-311
CWE-319
CWE-636
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

Guzzlephp Guzzle
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T15:44:40.427Z

Reserved: 2026-06-16T23:11:20.214Z

Link: CVE-2026-55568

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:06:03Z

Weaknesses
  • CWE-311

    Missing Encryption of Sensitive Data

  • CWE-319

    Cleartext Transmission of Sensitive Information

  • CWE-636

    Not Failing Securely ('Failing Open')