PT-2026-40045 · Cpan · Lwp::Useragent
Kai Aizen
·
Published
2026-05-12
·
Updated
2026-05-19
·
CVE-2026-8368
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
LWP::UserAgent versions prior to 6.83
Description
LWP::UserAgent leaks Authorization and Proxy-Authorization headers during cross-origin redirects. When a 3xx response is received, the redirect handler only removes the Host and Cookie headers before the subsequent request. Consequently, caller-supplied Authorization and Proxy-Authorization headers are transmitted unchanged to the redirect target, even if the scheme, host, or port changes. This allows a redirect to an attacker-controlled host to disclose the caller's credentials.
Recommendations
Update to version 6.83 or later.
Fix
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Lwp::Useragent