Description
LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects.

On a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are sent unchanged to the redirect target, including across scheme, host, or port changes.

A redirect to an attacker controlled host therefore discloses the caller's credentials to that host.
Published: 2026-05-12
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LWP::UserAgent versions before 6.83 forward Authorization and Proxy-Authorization headers unchanged during 3xx redirects. When a redirect targets a host under attacker control, the caller’s credentials are sent to that host, exposing sensitive authentication information. The weakness is categorized as CWE‑522.

Affected Systems

The flaw exists in all OALDERS LWP::UserAgent releases prior to 6.83. Users of libwww-perl older than 6.83 are affected. Upgrading to 6.83 or later removes the vulnerability.

Risk and Exploitability

Exploitation requires an application that uses LWP::UserAgent to request a URL that the attacker can influence, resulting in a redirect to an attacker‑controlled domain. Although no CVSS score is publicly disclosed and the EPSS score is not available, the potential for credential disclosure is significant, warranting immediate action.

Generated by OpenCVE AI on May 12, 2026 at 17:05 UTC.

Remediation

Vendor Solution

Upgrade to libwww-perl 6.83 or later.

OpenCVE Recommended Actions

  • Upgrade the libwww-perl package to version 6.83 or newer to eliminate the header leakage.
  • Configure the application to reject or limit redirects to external or untrusted hosts, or disable automatic redirect following if possible.
  • If upgrading is not immediately possible, modify the LWP::UserAgent code to strip Authorization and Proxy-Authorization headers before executing any redirect.

Generated by OpenCVE AI on May 12, 2026 at 17:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 18:30:00 +0000

Type Values Removed Values Added
References

Tue, 12 May 2026 15:00:00 +0000

Type Values Removed Values Added
Description LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects. On a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are sent unchanged to the redirect target, including across scheme, host, or port changes. A redirect to an attacker controlled host therefore discloses the caller's credentials to that host.
Title LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects
Weaknesses CWE-522
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-12T17:41:03.656Z

Reserved: 2026-05-11T21:33:14.480Z

Link: CVE-2026-8368

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-12T15:16:19.690

Modified: 2026-05-12T18:17:33.157

Link: CVE-2026-8368

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T17:15:21Z

Weaknesses