CVE-2026-5119
Libsoup: libsoup: information disclosure via cleartext transmission of cookies during https tunnel establishment
CVSS Score
5.9
EPSS Score
0.0%
EPSS Percentile
4th
A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential session hijacking or user impersonation.
| CWE | CWE-319 |
| Vendor | red hat |
| Product | red hat enterprise linux 10 |
| Published | Mar 30, 2026 |
| Last Updated | Jun 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for red hat red hat enterprise linux 10
Be the first to know when new medium vulnerabilities affecting red hat red hat enterprise linux 10 are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None
Affected Versions
Red Hat / Red Hat Enterprise Linux 10
All versions affected Red Hat / Red Hat Enterprise Linux 10
All versions affected Red Hat / Red Hat Enterprise Linux 10.0 Extended Update Support
All versions affected Red Hat / Red Hat Enterprise Linux 7 Extended Lifecycle Support
All versions affected Red Hat / Red Hat Enterprise Linux 8
All versions affected Red Hat / Red Hat Enterprise Linux 8
All versions affected Red Hat / Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
All versions affected Red Hat / Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On
All versions affected Red Hat / Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
All versions affected Red Hat / Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-On
All versions affected Red Hat / Red Hat Enterprise Linux 8.8 Telecommunications Update Service
All versions affected Red Hat / Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
All versions affected Red Hat / Red Hat Enterprise Linux 9
All versions affected Red Hat / Red Hat Enterprise Linux 9
All versions affected Red Hat / Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
All versions affected Red Hat / Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions
All versions affected Red Hat / Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions
All versions affected Red Hat / Red Hat Enterprise Linux 9.6 Extended Update Support
All versions affected Red Hat / Red Hat Enterprise Linux 6
All versions affected References
access.redhat.com: https://access.redhat.com/errata/RHSA-2026:13978 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:14087 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:15968 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:17482 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:19143 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:19356 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:21686 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:22316 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:22317 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:22323 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:22710 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:22716 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:24344 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:24722 access.redhat.com: https://access.redhat.com/security/cve/CVE-2026-5119 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2452932 gitlab.gnome.org: https://gitlab.gnome.org/GNOME/libsoup/-/issues/502
Credits
Red Hat would like to thank Kona Arctic for reporting this issue.