CVE-2026-1539

EUVD-2026-4889
A flaw was found in the libsoup HTTP library that can cause proxy authentication credentials to be sent to unintended destinations. When handling HTTP redirects, libsoup removes the Authorization header but does not remove the Proxy-Authorization header if the request is redirected to a different host. As a result, sensitive proxy credentials may be leaked to third-party servers. Applications using libsoup for HTTP communication may unintentionally expose proxy authentication data.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.8 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 18%
Affected Products (NVD)
VendorProductVersion
gnomelibsoup
-
redhatenterprise_linux
6.0
redhatenterprise_linux
7.0
redhatenterprise_linux
8.0
redhatenterprise_linux
9.0
redhatenterprise_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libsoup2.4
bookworm
no-dsa
bullseye
vulnerable
bullseye (security)
vulnerable
trixie
no-dsa
libsoup3
bookworm
no-dsa
forky
3.6.6-1
fixed
sid
3.6.6-1
fixed
trixie
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libsoup2.4
bionic
needed
focal
needed
jammy
needed
noble
needed
questing
needed
resolute
needed
xenial
needed
libsoup3
jammy
Fixed 3.0.7-0ubuntu1+esm7
released
noble
Fixed 3.4.4-5ubuntu0.7
released
questing
Fixed 3.6.5-4ubuntu0.2
released
resolute
not-affected
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libsoup-2_4-1
suse enterprise desktop 15 SP7
2.74.3-150600.4.30.1
fixed
suse enterprise sap 15 SP4
2.74.2-150400.3.31.1
fixed
suse enterprise sap 15 SP5
2.74.2-150400.3.31.1
fixed
suse enterprise sap 15 SP7
2.74.3-150600.4.30.1
fixed
suse enterprise server 12 SP3
2.62.2-5.37.1
fixed
suse enterprise server 12 SP5
2.62.2-5.37.1
fixed
suse enterprise server 15 SP4
2.74.2-150400.3.31.1
fixed
suse enterprise server 15 SP5
2.74.2-150400.3.31.1
fixed
suse enterprise server 15 SP6
2.74.3-150600.4.30.1
fixed
suse enterprise server 15 SP7
2.74.3-150600.4.30.1
fixed
libsoup-2_4-1-32bit
suse enterprise server 12 SP3
2.62.2-5.37.1
fixed
suse enterprise server 12 SP5
2.62.2-5.37.1
fixed
libsoup-3_0-0
suse enterprise desktop 15 SP7
3.4.4-150600.3.37.1
fixed
suse enterprise sap 15 SP4
3.0.4-150400.3.37.1
fixed
suse enterprise sap 15 SP5
3.0.4-150400.3.37.1
fixed
suse enterprise sap 15 SP7
3.4.4-150600.3.37.1
fixed
suse enterprise server 15 SP4
3.0.4-150400.3.37.1
fixed
suse enterprise server 15 SP5
3.0.4-150400.3.37.1
fixed
suse enterprise server 15 SP6
3.4.4-150600.3.37.1
fixed
suse enterprise server 15 SP7
3.4.4-150600.3.37.1
fixed
libsoup-devel
suse enterprise desktop 15 SP7
3.4.4-150600.3.37.1
fixed
suse enterprise sap 15 SP4
3.0.4-150400.3.37.1
fixed
suse enterprise sap 15 SP5
3.0.4-150400.3.37.1
fixed
suse enterprise sap 15 SP7
3.4.4-150600.3.37.1
fixed
suse enterprise server 12 SP3
2.62.2-5.37.1
fixed
suse enterprise server 12 SP5
2.62.2-5.37.1
fixed
suse enterprise server 15 SP4
3.0.4-150400.3.37.1
fixed
suse enterprise server 15 SP5
3.0.4-150400.3.37.1
fixed
suse enterprise server 15 SP6
3.4.4-150600.3.37.1
fixed
suse enterprise server 15 SP7
3.4.4-150600.3.37.1
fixed
libsoup-lang
suse enterprise desktop 15 SP7
3.4.4-150600.3.37.1
fixed
suse enterprise sap 15 SP4
3.0.4-150400.3.37.1
fixed
suse enterprise sap 15 SP5
3.0.4-150400.3.37.1
fixed
suse enterprise sap 15 SP7
3.4.4-150600.3.37.1
fixed
suse enterprise server 12 SP3
2.62.2-5.37.1
fixed
suse enterprise server 12 SP5
2.62.2-5.37.1
fixed
suse enterprise server 15 SP4
3.0.4-150400.3.37.1
fixed
suse enterprise server 15 SP5
3.0.4-150400.3.37.1
fixed
suse enterprise server 15 SP6
3.4.4-150600.3.37.1
fixed
suse enterprise server 15 SP7
3.4.4-150600.3.37.1
fixed
libsoup2-devel
suse enterprise desktop 15 SP7
2.74.3-150600.4.30.1
fixed
suse enterprise sap 15 SP4
2.74.2-150400.3.31.1
fixed
suse enterprise sap 15 SP5
2.74.2-150400.3.31.1
fixed
suse enterprise sap 15 SP7
2.74.3-150600.4.30.1
fixed
suse enterprise server 15 SP4
2.74.2-150400.3.31.1
fixed
suse enterprise server 15 SP5
2.74.2-150400.3.31.1
fixed
suse enterprise server 15 SP6
2.74.3-150600.4.30.1
fixed
suse enterprise server 15 SP7
2.74.3-150600.4.30.1
fixed
libsoup2-lang
suse enterprise desktop 15 SP7
2.74.3-150600.4.30.1
fixed
suse enterprise sap 15 SP4
2.74.2-150400.3.31.1
fixed
suse enterprise sap 15 SP5
2.74.2-150400.3.31.1
fixed
suse enterprise sap 15 SP7
2.74.3-150600.4.30.1
fixed
suse enterprise server 15 SP4
2.74.2-150400.3.31.1
fixed
suse enterprise server 15 SP5
2.74.2-150400.3.31.1
fixed
suse enterprise server 15 SP6
2.74.3-150600.4.30.1
fixed
suse enterprise server 15 SP7
2.74.3-150600.4.30.1
fixed
typelib-1_0-Soup-2_4
suse enterprise desktop 15 SP7
2.74.3-150600.4.30.1
fixed
suse enterprise sap 15 SP4
2.74.2-150400.3.31.1
fixed
suse enterprise sap 15 SP5
2.74.2-150400.3.31.1
fixed
suse enterprise sap 15 SP7
2.74.3-150600.4.30.1
fixed
suse enterprise server 12 SP3
2.62.2-5.37.1
fixed
suse enterprise server 12 SP5
2.62.2-5.37.1
fixed
suse enterprise server 15 SP4
2.74.2-150400.3.31.1
fixed
suse enterprise server 15 SP5
2.74.2-150400.3.31.1
fixed
suse enterprise server 15 SP6
2.74.3-150600.4.30.1
fixed
suse enterprise server 15 SP7
2.74.3-150600.4.30.1
fixed
typelib-1_0-Soup-3_0
suse enterprise desktop 15 SP7
3.4.4-150600.3.37.1
fixed
suse enterprise sap 15 SP4
3.0.4-150400.3.37.1
fixed
suse enterprise sap 15 SP5
3.0.4-150400.3.37.1
fixed
suse enterprise sap 15 SP7
3.4.4-150600.3.37.1
fixed
suse enterprise server 15 SP4
3.0.4-150400.3.37.1
fixed
suse enterprise server 15 SP5
3.0.4-150400.3.37.1
fixed
suse enterprise server 15 SP6
3.4.4-150600.3.37.1
fixed
suse enterprise server 15 SP7
3.4.4-150600.3.37.1
fixed
Common Weakness Enumeration
References
https://access.redhat.com/security/cve/CVE-2026-1539
https://gitlab.gnome.org/GNOME/libsoup/-/issues/489