CVE-2026-3632

17.03.2026, 10:16

A flaw was found in libsoup, a library used by applications to send network requests. This vulnerability occurs because libsoup does not properly validate hostnames, allowing special characters to be injected into HTTP headers. A remote attacker could exploit this to perform HTTP smuggling, where they can send hidden, malicious requests alongside legitimate ones. In certain situations, this could lead to Server-Side Request Forgery (SSRF), enabling an attacker to force the server to make unauthorized requests to other internal or external systems. The impact is low, as SoupServer is not actually used in internet infrastructure.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	3.9 LOW	NETWORK	HIGH	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

libsoup2.4

bookworm	vulnerable
bullseye	vulnerable
bullseye (security)	vulnerable
trixie	vulnerable

libsoup3

bookworm	vulnerable
forky	vulnerable
sid	vulnerable
trixie	vulnerable

Ubuntu Releases

Ubuntu Product

Codename

libsoup2.4

bionic	deferred
focal	deferred
jammy	deferred
noble	deferred
questing	deferred
xenial	deferred

libsoup3

jammy	deferred
noble	deferred
questing	deferred

Common Weakness Enumeration

CWE-1286 - Improper Validation of Syntactic Correctness of Input
The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.

References

https://access.redhat.com/security/cve/CVE-2026-3632

https://bugzilla.redhat.com/show_bug.cgi?id=2445127

https://gitlab.gnome.org/GNOME/libsoup/-/issues/483