CVE-2026-42855

Name of the Vulnerable Software and Affected Versions arduino-esp32 versions prior to 3.3.8

Description The WebServer Digest authentication implementation computes the authentication hash using the URI field from the client's Authorization header without verifying that it matches the actual requested URI. This allows an attacker with a valid digest response for one URI to authenticate requests to a different protected URI, bypassing per-resource access control.

Recommendations Update to version 3.3.8.