CVE-2026-9678

Name of the Vulnerable Software and Affected Versions undici versions prior to 7.28.0 undici versions prior to 8.5.0

Description The cache interceptor incorrectly classifies certain responses as cacheable when the upstream Cache-Control header contains whitespace-padded qualified private or no-cache field names, such as private=" authorization" or no-cache="tauthorization". Because the parser preserves this surrounding whitespace, comparisons against the literal authorization field name fail, causing the response to be stored. In shared-cache mode, this can lead to cross-user information disclosure, where a response containing one user's authenticated data is served from the cache to a subsequent caller, including unauthenticated users, if both requests share the same cache key.

Recommendations Upgrade to version 7.28.0. Upgrade to version 8.5.0. Disable shared-cache mode for traffic that includes Authorization headers. Avoid caching responses to authenticated requests. Add Vary: Authorization upstream.