PT-2026-57987 · Eclipse · Vert.X Web Client
Julien Viet
·
Published
2026-07-14
·
Updated
2026-07-14
·
CVE-2026-15076
CVSS v4.0
8.2
High
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Eclipse Vert.x Web Client versions prior to 4.5.30
Eclipse Vert.x Web Client versions prior to 5.1.5
Description
The
WebClientSession component fails to validate that the Domain attribute of a Set-Cookie response header matches the originating server's domain, which violates RFC 6265 section 5.3. An attacker controlling a server contacted by the victim application can inject a cookie scoped to an arbitrary third-party domain. Since the session store does not perform cross-domain ownership checks, it stores and subsequently transmits this cookie to the targeted domain. This allows the receiving service to process requests under the attacker's account, potentially exposing sensitive data such as payment amounts, card details, or API payloads to the attacker.Recommendations
Update to version 4.5.30 or later for the 4.x branch.
Update to version 5.1.5 or later for the 5.x branch.
Fix
Origin Validation Error
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vert.X Web Client