PT-2026-57987 · Eclipse · Vert.X Web Client

Julien Viet

·

Published

2026-07-14

·

Updated

2026-07-14

·

CVE-2026-15076

CVSS v4.0

8.2

High

VectorAV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions Eclipse Vert.x Web Client versions prior to 4.5.30 Eclipse Vert.x Web Client versions prior to 5.1.5
Description The WebClientSession component fails to validate that the Domain attribute of a Set-Cookie response header matches the originating server's domain, which violates RFC 6265 section 5.3. An attacker controlling a server contacted by the victim application can inject a cookie scoped to an arbitrary third-party domain. Since the session store does not perform cross-domain ownership checks, it stores and subsequently transmits this cookie to the targeted domain. This allows the receiving service to process requests under the attacker's account, potentially exposing sensitive data such as payment amounts, card details, or API payloads to the attacker.
Recommendations Update to version 4.5.30 or later for the 4.x branch. Update to version 5.1.5 or later for the 5.x branch.

Fix

Origin Validation Error

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-15076

Affected Products

Vert.X Web Client