CVE-2026-8368

EUVD-2026-29492

12.05.2026, 15:16

LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects.

On a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are sent unchanged to the redirect target, including across scheme, host, or port changes.

A redirect to an attacker controlled host therefore discloses the caller's credentials to that host.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 17%

Debian Releases

Debian Product

Codename

libwww-perl

bookworm	no-dsa
bullseye	postponed
forky	6.83-1 fixed
sid	6.83-1 fixed
trixie	no-dsa

Amazon Linux Releases

Amazon Package

Release

perl-libwww-perl

Amazon Linux 2	0:6.05-2.amzn2.0.1 fixed
Amazon Linux 2023	0:6.58-1.amzn2023.0.3 fixed

perl-libwww-perl-tests

Amazon Linux 2023

0:6.58-1.amzn2023.0.3

fixed

Azure Linux Releases

Azure Package

Release

perl-libwww-perl

Azure Linux 3.0

0:6.83-1.azl3

fixed

Common Weakness Enumeration

CWE-522 - Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

References

https://github.com/libwww-perl/libwww-perl/commit/9c4aeb6f2dd32f2b7eaf2d7827cade31ea6cb2c6.patch

https://github.com/libwww-perl/libwww-perl/pull/284

https://github.com/libwww-perl/libwww-perl/pull/512

https://metacpan.org/release/OALDERS/libwww-perl-6.83/changes

http://www.openwall.com/lists/oss-security/2026/05/12/7