GHSA-xv49-34rf-rqv4

GHSA-xv49-34rf-rqv4 PUBLISHED CVSS 5.300000190734863 MEDIUM

A flaw was found in libsoup, an HTTP client/server library. This HTTP Request Smuggling vulnerability arises from non-RFC-compliant parsing in the soup_filter_input_stream_read_line() logic, where libsoup accepts malformed chunk headers, such as lone line feed (LF) characters instead of the required carriage return and line feed (CRLF). A remote attacker can exploit this without authentication or user interaction by sending specially crafted chunked requests. This allows libsoup to parse and process multiple HTTP requests from a single network message, potentially leading to information disclosure.

Risk Scores

CVSS v3.1

5.300000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Timeline

Feb 3, 2026 CVE Published
Mar 19, 2026 CVE Updated
Apr 10, 2026 Security Advisory

References

https://nvd.nist.gov/vuln/detail/CVE-2026-1801 advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2436315 url
https://gitlab.gnome.org/GNOME/libsoup/-/issues/481 url
https://access.redhat.com/security/cve/CVE-2026-1801 advisory

Open in Interactive Console →