{"id":"CVE-2026-8368","summary":"LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects","details":"LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects.\n\nOn a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are sent unchanged to the redirect target, including across scheme, host, or port changes.\n\nA redirect to an attacker controlled host therefore discloses the caller's credentials to that host.","modified":"2026-06-18T03:54:28.106126590Z","published":"2026-05-12T14:01:25.365Z","related":["openSUSE-SU-2026:10781-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8368.json","cna_assigner":"CPANSec","cwe_ids":["CWE-522"]},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/05/12/7"},{"type":"WEB","url":"https://cpan.org/modules"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8368.json"},{"type":"ADVISORY","url":"https://metacpan.org/release/OALDERS/libwww-perl-6.83/changes"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-8368"},{"type":"REPORT","url":"https://github.com/libwww-perl/libwww-perl/pull/512"},{"type":"FIX","url":"https://github.com/libwww-perl/libwww-perl/commit/9c4aeb6f2dd32f2b7eaf2d7827cade31ea6cb2c6.patch"},{"type":"FIX","url":"https://github.com/libwww-perl/libwww-perl/pull/284"},{"type":"PACKAGE","url":"https://github.com/libwww-perl/libwww-perl"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libwww-perl/libwww-perl","events":[{"introduced":"0"},{"fixed":"b0b72da4809a29d3d929632aed77896363da7ba7"},{"fixed":"9c4aeb6f2dd32f2b7eaf2d7827cade31ea6cb2c6"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"6.83"}],"source":["DESCRIPTION","REFERENCES"]}}],"versions":["v6.82","v6.81","v6.80","v6.79","v6.78","v6.77","v6.76","v6.75","v6.74","v6.73","v6.72","v6.71","v6.70","v6.69","v6.68","v6.67","v6.66","v6.65","v6.64","v6.63","v6.62","v6.61","v6.60","v6.59","v6.58","v6.57","v6.56","v6.55","v6.54","v6.53","v6.52","v6.51","v6.50","v6.49","v6.48","v6.47","v6.46","v6.45","v6.44","v6.43","v6.42","v6.41","v6.40","v6.39","v6.38","v6.37","v6.36","v6.35","v6.34","v6.33","v6.32","v6.31","v6.30","v6.29","v6.28","v6.27","v6.26","v6.25","v6.24","v6.23","v6.22","v6.21","v6.20","6.19","libwww-perl/6.18","libwww-perl/6.17","libwww-perl/6.16","6.15","6.13","6.12","6.11","6.10","libwww-perl/6.09","6.09","6.08","6.07","6.06","6.05","6.04","libwww-perl/6.03","libwww-perl/6.02","libwww-perl/6.01","libwww-perl/6.00","libwww-perl/5.837","libwww-perl/5.836","libwww-perl/5.835","libwww-perl/5.834","libwww-perl/5.833","libwww-perl/5.832","libwww-perl/5.831","libwww-perl/5.830","libwww-perl/5.829","libwww-perl/5.828","libwww-perl/5.827","libwww-perl/5.826","libwww-perl/5.825","5.825","libwww-perl/5.824","5.824","libwww-perl/5.823","5.823","libwww-perl/5.822","5.822","libwww-perl/5.821","5.821","libwww-perl/5.820","5.820","libwww-perl/5.819","5.819","libwww-perl/5.818","5.818","libwww-perl/5.817","5.817","libwww-perl/5.816","5.816","libwww-perl/5.815","R5.815","libwww-perl/5.814","R5.814","libwww-perl/5.813","R5.813","libwww-perl/5.812","R5.812","libwww-perl/5.811","R5.811","list","libwww-perl/5.810","R5.810","libwww-perl/5.808","R5.808","libwww-perl/5.807","R5.807","libwww-perl/5.806","R5.806","libwww-perl/5.805","R5.805","libwww-perl/5.804","R5.804","libwww-perl/5.803","R5.803","libwww-perl/5.802","R5.802","libwww-perl/5.801","R5.801","libwww-perl/5.800","R5.800","libwww-perl/5.79","R5.79","libwww-perl/5.78","R5.78","libwww-perl/5.77","R5.77","libwww-perl/5.76","R5.76","libwww-perl/5.75","R5.75","libwww-perl/5.74","R5.74","libwww-perl/5.73","R5.73","libwww-perl/5.72","R5.72","libwww-perl/5.71","R5.71","libwww-perl/5.70","R5.70","libwww-perl/5.69","R5.69","libwww-perl/5.68","R5.68","libwww-perl/5.67","R5.67","libwww-perl/5.66","R5.66","libwww-perl/5.65","R5.65","libwww-perl/5.64","R5.64","libwww-perl/5.63","R5.63","libwww-perl/5.62","R5.62","libwww-perl/5.61","R5.61","libwww-perl/5.60","R5.60","libwww-perl/5.53.97","R5.53.97","libwww-perl/5.53.96","R5.53.96","libwww-perl/5.53.95","R5.53.95","libwww-perl/5.53.94","R5.53.94","libwww-perl/5.53.93","R5.53.93","libwww-perl/5.53.92","R5.53.92","libwww-perl/5.53.91","R5.53.91","libwww-perl/5.53.90","R5.53.90","libwww-perl/5.53","R5.53","libwww-perl/5.52","R5.52","libwww-perl/5.51","R5.51","libwww-perl/5.50","R5.50","libwww-perl/5.49","R5.49","libwww-perl/5.48","R5.48","libwww-perl/5.47","R5.47","libwww-perl/5.46","R5.46","libwww-perl/5.45","R5.45","libwww-perl/5.44","R5.44","libwww-perl/5.43","R5.43","libwww-perl/5.42","R5.42","R0.04","R0.02","libwww-perl/5.41","R5.41","libwww-perl/5.36","R5.36","libwww-perl/5.35","R5.35","libwww-perl/5.34","R5.34","libwww-perl/5.33","R5.33","libwww-perl/5.32","R5.32","libwww-perl/5.31","R5.31","libwww-perl/5.30","R5.30","libwww-perl/5.22","R5.22","libwww-perl/5.21","R5.21","libwww-perl/5.20","R5.20","libwww-perl/5.19","R5.19","libwww-perl/5.18.05","R5.18.05","libwww-perl/5.18.04","R5.18.04","libwww-perl/5.18.03","R5.18.03","libwww-perl/5.18","R5.18","libwww-perl/5.17","R5.17","libwww-perl/5.16","R5.16","libwww-perl/5.15","R5.15","libwww-perl/5.14","R5.14","libwww-perl/5.13","R5.13","libwww-perl/5.12","R5.12","libwww-perl/5.11","R5.11","libwww-perl/5.10","R5.10","libwww-perl/5.09","R5.09","libwww-perl/5.08","R5.08","libwww-perl/5.07","R5.07","libwww-perl/5.06","R5.06","libwww-perl/5.05","R5.05","libwww-perl/5.04","R5.04","libwww-perl/5.03","R5.03","libwww-perl/5.02","R5.02","libwww-perl/5.01","R5.01","libwww-perl/5.00","R5.00","libwww-perl/5.00-beta13","B13","libwww-perl/5.00-beta12","B12","libwww-perl/5.00-beta11","B11","libwww-perl/5.00-beta10","B10","libwww-perl/5.00-beta9","B9","libwww-perl/5.00-beta8","B8","libwww-perl/5.00-beta7","B7","libwww-perl/5.00-beta6","B6","libwww-perl/5.00-beta5","B5","libwww-perl/0.03","R0.03"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-8368.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}