{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5119", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-03-30T05:13:41.920Z", "datePublished": "2026-03-30T05:35:57.099Z", "dateUpdated": "2026-06-03T09:30:30.756Z"}, "containers": {"cna": {"title": "Libsoup: libsoup: information disclosure via cleartext transmission of cookies during https tunnel establishment", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential session hijacking or user impersonation."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libsoup3", "defaultStatus": "affected", "versions": [{"version": "0:3.6.5-3.el10_1.11", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:10.1"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libsoup3", "defaultStatus": "affected", "versions": [{"version": "0:3.6.5-3.el10_2.11", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:10.2"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10.0 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libsoup3", "defaultStatus": "affected", "versions": [{"version": "0:3.6.5-3.el10_0.15", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux_eus:10.0"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libsoup", "defaultStatus": "affected", "versions": [{"version": "0:2.62.3-14.el8_10", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/o:redhat:enterprise_linux:8::baseos"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libsoup", "defaultStatus": "affected", "versions": [{"version": "0:2.62.3-14.el8_10", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/o:redhat:enterprise_linux:8::baseos"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libsoup", "defaultStatus": "affected", "versions": [{"version": "0:2.62.3-2.el8_4.9", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_eus_long_life:8.4::appstream", "cpe:/o:redhat:rhel_aus:8.4::baseos", "cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libsoup", "defaultStatus": "affected", "versions": [{"version": "0:2.62.3-2.el8_4.9", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_eus_long_life:8.4::appstream", "cpe:/o:redhat:rhel_aus:8.4::baseos", "cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libsoup", "defaultStatus": "affected", "versions": [{"version": "0:2.62.3-3.el8_8.9", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_e4s:8.8::appstream", "cpe:/a:redhat:rhel_tus:8.8::appstream", "cpe:/o:redhat:rhel_e4s:8.8::baseos", "cpe:/o:redhat:rhel_tus:8.8::baseos"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libsoup", "defaultStatus": "affected", "versions": [{"version": "0:2.62.3-3.el8_8.9", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_e4s:8.8::appstream", "cpe:/a:redhat:rhel_tus:8.8::appstream", "cpe:/o:redhat:rhel_e4s:8.8::baseos", "cpe:/o:redhat:rhel_tus:8.8::baseos"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libsoup", "defaultStatus": "affected", "versions": [{"version": "0:2.72.0-12.el9_7.6", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:9::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libsoup", "defaultStatus": "affected", "versions": [{"version": "0:2.72.0-16.el9_8.1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:9::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libsoup", "defaultStatus": "affected", "versions": [{"version": "0:2.72.0-8.el9_0.10", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_e4s:9.0::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libsoup", "defaultStatus": "affected", "versions": [{"version": "0:2.72.0-8.el9_2.11", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_e4s:9.2::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libsoup", "defaultStatus": "affected", "versions": [{"version": "0:2.72.0-8.el9_4.10", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_e4s:9.4::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.6 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libsoup", "defaultStatus": "affected", "versions": [{"version": "0:2.72.0-10.el9_6.7", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_eus:9.6::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libsoup", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:6"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libsoup", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:13978", "name": "RHSA-2026:13978", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:14087", "name": "RHSA-2026:14087", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:15968", "name": "RHSA-2026:15968", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:17482", "name": "RHSA-2026:17482", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:19143", "name": "RHSA-2026:19143", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:19356", "name": "RHSA-2026:19356", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:21686", "name": "RHSA-2026:21686", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:22316", "name": "RHSA-2026:22316", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:22317", "name": "RHSA-2026:22317", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:22323", "name": "RHSA-2026:22323", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:22710", "name": "RHSA-2026:22710", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:22716", "name": "RHSA-2026:22716", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2026-5119", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452932", "name": "RHBZ#2452932", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://gitlab.gnome.org/GNOME/libsoup/-/issues/502"}], "datePublic": "2026-03-30T05:30:32.610Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "Cleartext Transmission of Sensitive Information", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-319: Cleartext Transmission of Sensitive Information", "workarounds": [{"lang": "en", "value": "To mitigate this issue, ensure that all HTTP proxies used for HTTPS tunnels are trusted and operate within a secure network. Avoid configuring applications to use untrusted HTTP proxies. If feasible, configure applications to bypass proxies for sensitive connections or utilize a secure proxy solution that encrypts the entire communication channel. A service restart or application reload may be required for changes to take effect."}], "timeline": [{"lang": "en", "time": "2026-03-30T05:15:27.541Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-03-30T05:30:32.610Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Kona Arctic for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-06-03T09:30:30.756Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T16:00:52.017996Z", "id": "CVE-2026-5119", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T16:01:02.216Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5119", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T16:00:52.017996Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T16:00:57.729Z"}}], "cna": {"title": "Libsoup: libsoup: information disclosure via cleartext transmission of cookies during https tunnel establishment", "credits": [{"lang": "en", "value": "Red Hat would like to thank Kona Arctic for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/o:redhat:enterprise_linux:10.1"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "versions": [{"status": "unaffected", "version": "0:3.6.5-3.el10_1.11", "lessThan": "*", "versionType": "rpm"}], "packageName": "libsoup3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:10.2"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "versions": [{"status": "unaffected", "version": "0:3.6.5-3.el10_2.11", "lessThan": "*", "versionType": "rpm"}], "packageName": "libsoup3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux_eus:10.0"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10.0 Extended Update Support", "versions": [{"status": "unaffected", "version": "0:3.6.5-3.el10_0.15", "lessThan": "*", "versionType": "rpm"}], "packageName": "libsoup3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/o:redhat:enterprise_linux:8::baseos"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "versions": [{"status": "unaffected", "version": "0:2.62.3-14.el8_10", "lessThan": "*", "versionType": "rpm"}], "packageName": "libsoup", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/o:redhat:enterprise_linux:8::baseos"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "versions": [{"status": "unaffected", "version": "0:2.62.3-14.el8_10", "lessThan": "*", "versionType": "rpm"}], "packageName": "libsoup", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_eus_long_life:8.4::appstream", "cpe:/o:redhat:rhel_aus:8.4::baseos", "cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "versions": [{"status": "unaffected", "version": "0:2.62.3-2.el8_4.9", "lessThan": "*", "versionType": "rpm"}], "packageName": "libsoup", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_aus:8.4::appstream", "cpe:/a:redhat:rhel_eus_long_life:8.4::appstream", "cpe:/o:redhat:rhel_aus:8.4::baseos", "cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "versions": [{"status": "unaffected", "version": "0:2.62.3-2.el8_4.9", "lessThan": "*", "versionType": "rpm"}], "packageName": "libsoup", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_e4s:8.8::appstream", "cpe:/a:redhat:rhel_tus:8.8::appstream", "cpe:/o:redhat:rhel_e4s:8.8::baseos", "cpe:/o:redhat:rhel_tus:8.8::baseos"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "versions": [{"status": "unaffected", "version": "0:2.62.3-3.el8_8.9", "lessThan": "*", "versionType": "rpm"}], "packageName": "libsoup", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_e4s:8.8::appstream", "cpe:/a:redhat:rhel_tus:8.8::appstream", "cpe:/o:redhat:rhel_e4s:8.8::baseos", "cpe:/o:redhat:rhel_tus:8.8::baseos"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "versions": [{"status": "unaffected", "version": "0:2.62.3-3.el8_8.9", "lessThan": "*", "versionType": "rpm"}], "packageName": "libsoup", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:9::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "versions": [{"status": "unaffected", "version": "0:2.72.0-12.el9_7.6", "lessThan": "*", "versionType": "rpm"}], "packageName": "libsoup", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:9::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "versions": [{"status": "unaffected", "version": "0:2.72.0-16.el9_8.1", "lessThan": "*", "versionType": "rpm"}], "packageName": "libsoup", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_e4s:9.0::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "versions": [{"status": "unaffected", "version": "0:2.72.0-8.el9_0.10", "lessThan": "*", "versionType": "rpm"}], "packageName": "libsoup", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_e4s:9.2::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "versions": [{"status": "unaffected", "version": "0:2.72.0-8.el9_2.11", "lessThan": "*", "versionType": "rpm"}], "packageName": "libsoup", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_e4s:9.4::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions", "versions": [{"status": "unaffected", "version": "0:2.72.0-8.el9_4.10", "lessThan": "*", "versionType": "rpm"}], "packageName": "libsoup", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_eus:9.6::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.6 Extended Update Support", "versions": [{"status": "unaffected", "version": "0:2.72.0-10.el9_6.7", "lessThan": "*", "versionType": "rpm"}], "packageName": "libsoup", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:6"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "packageName": "libsoup", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:7"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "packageName": "libsoup", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2026-03-30T05:15:27.541Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-03-30T05:30:32.610Z", "value": "Made public."}], "datePublic": "2026-03-30T05:30:32.610Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:13978", "name": "RHSA-2026:13978", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:14087", "name": "RHSA-2026:14087", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:15968", "name": "RHSA-2026:15968", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:17482", "name": "RHSA-2026:17482", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:19143", "name": "RHSA-2026:19143", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:19356", "name": "RHSA-2026:19356", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:21686", "name": "RHSA-2026:21686", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:22316", "name": "RHSA-2026:22316", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:22317", "name": "RHSA-2026:22317", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:22323", "name": "RHSA-2026:22323", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:22710", "name": "RHSA-2026:22710", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:22716", "name": "RHSA-2026:22716", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2026-5119", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452932", "name": "RHBZ#2452932", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://gitlab.gnome.org/GNOME/libsoup/-/issues/502"}], "workarounds": [{"lang": "en", "value": "To mitigate this issue, ensure that all HTTP proxies used for HTTPS tunnels are trusted and operate within a secure network. Avoid configuring applications to use untrusted HTTP proxies. If feasible, configure applications to bypass proxies for sensitive connections or utilize a secure proxy solution that encrypts the entire communication channel. A service restart or application reload may be required for changes to take effect."}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential session hijacking or user impersonation."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-319", "description": "Cleartext Transmission of Sensitive Information"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-06-03T09:30:30.756Z"}, "x_redhatCweChain": "CWE-319: Cleartext Transmission of Sensitive Information"}}, "cveMetadata": {"cveId": "CVE-2026-5119", "state": "PUBLISHED", "dateUpdated": "2026-06-03T09:30:30.756Z", "dateReserved": "2026-03-30T05:13:41.920Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-03-30T05:35:57.099Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnome:libsoup:-:*:*:*:*:*:*:*", "matchCriteriaId": "C5BAC4F4-3ACD-4F4D-920C-F920FD2C5472", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential session hijacking or user impersonation."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en libsoup. Al establecer t\u00faneles HTTPS a trav\u00e9s de un proxy HTTP configurado, las cookies de sesi\u00f3n sensibles se transmiten en texto claro dentro de la solicitud HTTP CONNECT inicial. Un atacante posicionado en la red o un proxy HTTP malicioso puede interceptar estas cookies, lo que podr\u00eda conducir al secuestro potencial de la sesi\u00f3n o a la suplantaci\u00f3n de identidad del usuario."}], "id": "CVE-2026-5119", "lastModified": "2026-06-03T11:16:19.937", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.2, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-30T07:15:58.350", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:13978"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:14087"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:15968"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:17482"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:19143"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:19356"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:21686"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:22316"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:22317"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:22323"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:22710"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:22716"}, {"source": "secalert@redhat.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2026-5119"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452932"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://gitlab.gnome.org/GNOME/libsoup/-/issues/502"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Kona Arctic for reporting this issue.", "bugzilla": {"description": "libsoup: libsoup: Information disclosure via cleartext transmission of cookies during HTTPS tunnel establishment", "id": "2452932", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452932"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N", "status": "draft"}, "cwe": "CWE-319", "details": ["A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential session hijacking or user impersonation."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, ensure that all HTTP proxies used for HTTPS tunnels are trusted and operate within a secure network. Avoid configuring applications to use untrusted HTTP proxies. If feasible, configure applications to bypass proxies for sensitive connections or utilize a secure proxy solution that encrypts the entire communication channel. A service restart or application reload may be required for changes to take effect."}, "name": "CVE-2026-5119", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "libsoup3", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "libsoup", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "libsoup", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "libsoup", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "libsoup", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-30T05:30:32Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-5119\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-5119\nhttps://gitlab.gnome.org/GNOME/libsoup/-/issues/502"], "statement": "Moderate impact. This flaw in libsoup allows sensitive session cookies to be transmitted in cleartext within the initial HTTP CONNECT request when establishing HTTPS tunnels through a configured HTTP proxy. A network-positioned attacker or a malicious HTTP proxy could intercept these cookies, potentially leading to session hijacking or user impersonation. This affects Red Hat Enterprise Linux systems configured to use an HTTP proxy for HTTPS connections.", "threat_severity": "Moderate"}