CVE-2026-3632

EUVD-2026-12559

17.03.2026, 10:16

A flaw was found in libsoup, a library used by applications to send network requests. This vulnerability occurs because libsoup does not properly validate hostnames, allowing special characters to be injected into HTTP headers. A remote attacker could exploit this to perform HTTP smuggling, where they can send hidden, malicious requests alongside legitimate ones. In certain situations, this could lead to Server-Side Request Forgery (SSRF), enabling an attacker to force the server to make unauthorized requests to other internal or external systems. The impact is low, as SoupServer is not actually used in internet infrastructure.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	3.9 LOW	NETWORK	HIGH	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 10%

Affected Products (NVD)

Vendor	Product	Version
gnome	libsoup	-
redhat	enterprise_linux	6.0
redhat	enterprise_linux	7.0
redhat	enterprise_linux	8.0
redhat	enterprise_linux	9.0
redhat	enterprise_linux	10.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

libsoup2.4

bookworm	no-dsa
bullseye	vulnerable
bullseye (security)	vulnerable
trixie	no-dsa

libsoup3

bookworm	no-dsa
forky	vulnerable
sid	vulnerable
trixie	no-dsa

Ubuntu Releases

Ubuntu Product

Codename

libsoup2.4

bionic	deferred
focal	deferred
jammy	deferred
noble	deferred
questing	deferred
resolute	deferred
xenial	deferred

libsoup3

jammy	deferred
noble	deferred
questing	deferred
resolute	deferred

Known Exploits!

https://gitlab.gnome.org/GNOME/libsoup/-/issues/483

Common Weakness Enumeration

CWE-1286 - Improper Validation of Syntactic Correctness of Input
The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.

Vulnerability Media Exposure

[GERMAN] IBM App Connect Enterprise: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in IBM App Connect Enterprise ausnutzen, um Sicherheitsvorkehrungen zu umgehen, um einen Denial of Service Angriff durchzuführen, um Informationen offenzulegen, um Dateien zu manipulieren, um einen Cross-Site Scripting Angriff durchzuführen, um einen SQL-Injection Angriff durchzuführen, und um beliebigen Programmcode auszuführen.
Published: 2026-04-07T22:00:00+00:00

References

https://access.redhat.com/security/cve/CVE-2026-3632

https://bugzilla.redhat.com/show_bug.cgi?id=2445127

https://gitlab.gnome.org/GNOME/libsoup/-/issues/483