CVE-2026-42551

Name of the Vulnerable Software and Affected Versions Flight versions prior to 3.18.1

Description The getMethod() function unconditionally honors the X-HTTP-Method-Override header and the method parameter within the $ REQUEST variable on any HTTP verb, including safe verbs like GET. This occurs without an opt-in mechanism or a whitelist of permitted target methods. Consequently, a GET request can be silently converted into a DELETE or PUT request. This behavior enables Cross-Site Request Forgery (CSRF) escalation against destructive endpoints, allows the bypass of middleware restricted to unsafe verbs, and can lead to cache poisoning between a Content Delivery Network (CDN) and the origin server.

Recommendations Update to version 3.18.1. As a temporary mitigation, set the flight.allow method override setting to false to disable both the X-HTTP-Method-Override header and the method parameter.