{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-8368", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "state": "PUBLISHED", "assignerShortName": "CPANSec", "dateReserved": "2026-05-11T21:33:14.480Z", "datePublished": "2026-05-12T14:01:25.365Z", "dateUpdated": "2026-05-19T17:16:03.676Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "packageName": "libwww-perl", "product": "LWP::UserAgent", "programFiles": ["lib/LWP/UserAgent.pm"], "programRoutines": [{"name": "LWP::UserAgent::request"}], "repo": "https://github.com/libwww-perl/libwww-perl", "vendor": "OALDERS", "versions": [{"lessThan": "6.83", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Kai Aizen"}], "descriptions": [{"lang": "en", "value": "LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects.\n\nOn a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are sent unchanged to the redirect target, including across scheme, host, or port changes.\n\nA redirect to an attacker controlled host therefore discloses the caller's credentials to that host."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-05-12T14:01:25.365Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/libwww-perl/libwww-perl/commit/9c4aeb6f2dd32f2b7eaf2d7827cade31ea6cb2c6.patch"}, {"tags": ["release-notes"], "url": "https://metacpan.org/release/OALDERS/libwww-perl-6.83/changes"}, {"tags": ["issue-tracking"], "url": "https://github.com/libwww-perl/libwww-perl/pull/512"}, {"tags": ["related"], "url": "https://github.com/libwww-perl/libwww-perl/pull/284"}], "solutions": [{"lang": "en", "value": "Upgrade to libwww-perl 6.83 or later."}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2026-05-11T00:00:00.000Z", "value": "Issue reported."}, {"lang": "en", "time": "2026-05-12T00:00:00.000Z", "value": "libwww-perl 6.83 released with fix."}], "title": "LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects", "x_generator": {"engine": "cpansec-cna-tool 0.1"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/05/12/7"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-05-12T17:41:03.656Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-05-13T14:30:39.897128Z", "id": "CVE-2026-8368", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-19T17:16:03.676Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/05/12/7"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-05-12T17:41:03.656Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-8368", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-13T14:30:39.897128Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-13T14:31:48.984Z"}}], "cna": {"title": "LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "Kai Aizen"}], "affected": [{"repo": "https://github.com/libwww-perl/libwww-perl", "vendor": "OALDERS", "product": "LWP::UserAgent", "versions": [{"status": "affected", "version": "0", "lessThan": "6.83", "versionType": "custom"}], "packageName": "libwww-perl", "programFiles": ["lib/LWP/UserAgent.pm"], "collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "programRoutines": [{"name": "LWP::UserAgent::request"}]}], "timeline": [{"lang": "en", "time": "2026-05-11T00:00:00.000Z", "value": "Issue reported."}, {"lang": "en", "time": "2026-05-12T00:00:00.000Z", "value": "libwww-perl 6.83 released with fix."}], "solutions": [{"lang": "en", "value": "Upgrade to libwww-perl 6.83 or later."}], "references": [{"url": "https://github.com/libwww-perl/libwww-perl/commit/9c4aeb6f2dd32f2b7eaf2d7827cade31ea6cb2c6.patch", "tags": ["patch"]}, {"url": "https://metacpan.org/release/OALDERS/libwww-perl-6.83/changes", "tags": ["release-notes"]}, {"url": "https://github.com/libwww-perl/libwww-perl/pull/512", "tags": ["issue-tracking"]}, {"url": "https://github.com/libwww-perl/libwww-perl/pull/284", "tags": ["related"]}], "x_generator": {"engine": "cpansec-cna-tool 0.1"}, "descriptions": [{"lang": "en", "value": "LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects.\n\nOn a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are sent unchanged to the redirect target, including across scheme, host, or port changes.\n\nA redirect to an attacker controlled host therefore discloses the caller's credentials to that host."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-05-12T14:01:25.365Z"}}}, "cveMetadata": {"cveId": "CVE-2026-8368", "state": "PUBLISHED", "dateUpdated": "2026-05-19T17:16:03.676Z", "dateReserved": "2026-05-11T21:33:14.480Z", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "datePublished": "2026-05-12T14:01:25.365Z", "assignerShortName": "CPANSec"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects.\n\nOn a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are sent unchanged to the redirect target, including across scheme, host, or port changes.\n\nA redirect to an attacker controlled host therefore discloses the caller's credentials to that host."}], "id": "CVE-2026-8368", "lastModified": "2026-05-19T18:16:30.983", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-05-12T15:16:19.690", "references": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://github.com/libwww-perl/libwww-perl/commit/9c4aeb6f2dd32f2b7eaf2d7827cade31ea6cb2c6.patch"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://github.com/libwww-perl/libwww-perl/pull/284"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://github.com/libwww-perl/libwww-perl/pull/512"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://metacpan.org/release/OALDERS/libwww-perl-6.83/changes"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/05/12/7"}], "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary"}]}

{"bugzilla": {"description": "perl-libwww-perl: perl-libwww-perl: Information disclosure via cross-origin redirects", "id": "2476490", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2476490"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-201", "details": ["A flaw was found in LWP::UserAgent, a component of perl-libwww-perl. This vulnerability allows a remote attacker to obtain a user's credentials by redirecting a request to an attacker-controlled host. When processing a redirect, the LWP::UserAgent fails to properly strip Authorization and Proxy-Authorization headers, leading to their unintended disclosure across different origins."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-8368", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "perl-libwww-perl", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "perl-libwww-perl", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "perl-libwww-perl:6.34/perl-libwww-perl", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "perl-libwww-perl", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-05-12T14:01:25Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-8368\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-8368\nhttps://github.com/libwww-perl/libwww-perl/commit/9c4aeb6f2dd32f2b7eaf2d7827cade31ea6cb2c6.patch\nhttps://github.com/libwww-perl/libwww-perl/pull/284\nhttps://github.com/libwww-perl/libwww-perl/pull/512\nhttps://metacpan.org/release/OALDERS/libwww-perl-6.83/changes"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6.83)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "LWP::UserAgent", "source": "cna", "vendor": "OALDERS"}, "product": "lwp::useragent", "vendor": "oalders"}], "created": "2026-05-12T17:15:21.053386+00:00", "updated": "2026-05-25T13:30:26.283729+00:00", "vendors": ["oalders", "oalders$PRODUCT$lwp::useragent"]}