CVE-2026-39807

Name of the Vulnerable Software and Affected Versions bandit versions 1.0.0 through 1.10.f

Description Reliance on untrusted inputs in a security decision allows unauthenticated transport-state spoofing on plaintext HTTP connections. The function determine scheme/2 in Elixir.Bandit.Pipeline returns the client-supplied URI scheme verbatim, ignoring the transport's secure flag. This occurs because HTTP/1.1 absolute-form request targets and the HTTP/2 :scheme pseudo-header are attacker-controlled strings. Consequently, a client can declare https over a plaintext TCP connection, leading the system to set conn.scheme to :https without TLS negotiation. This misleads downstream Plug consumers, causing Plug.SSL to skip HTTP to HTTPS redirects, secure cookies to be sent over plaintext, audit logs to incorrectly record HTTPS usage, and CSRF or SameSite gating to make incorrect decisions. This issue specifically affects systems accepting plaintext HTTP connections, either directly or via h2c (HTTP/2 over TCP without TLS).

Recommendations Update bandit to version 1.11.0 or later.