NIXPKGS-2026-0856

GitHub issue published on

Permalink CVE-2026-5119

5.9 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): LOW
Availability impact (A): NONE

updated 1 week, 2 days ago by @mweinelt Activity log

Created automatic suggestion 1 week, 2 days ago
@mweinelt removed package tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4" 1 week, 2 days ago
@mweinelt accepted 1 week, 2 days ago
@mweinelt published on GitHub 1 week, 2 days ago

Libsoup: libsoup: information disclosure via cleartext transmission of cookies during https tunnel establishment

A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential session hijacking or user impersonation.

References

https://access.redhat.com/security/cve/CVE-2026-5119 x_refsource_REDHATvdb-entry
RHBZ#2452932 issue-trackingx_refsource_REDHAT
https://gitlab.gnome.org/GNOME/libsoup/-/issues/502

Affected products

libsoup

libsoup3

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

nixos-unstable 3.6.6
- nixpkgs-unstable 3.6.6
- nixos-unstable-small 3.6.6
nixos-25.11 3.6.6
- nixos-25.11-small 3.6.6
- nixpkgs-25.11-darwin 3.6.6

pkgs.libsoup_2_4