{"id":"CVE-2026-7017","summary":"HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets","details":"HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets.\n\nWhen the server returns a 3xx redirect, `_maybe_redirect` follows the `Location:` header and `_prepare_headers_and_cb` re-merges the caller's `headers` argument into the new request, without checking whether the redirect target shares an origin with the original URL. Caller-supplied `Authorization`, `Cookie` and `Proxy-Authorization` headers are therefore re-sent to whatever host the redirect names, across scheme, host or port boundaries, and including `https` to `http` downgrades that expose them in plaintext on the wire.\n\nThe HTTP::Tiny POD note that \"Authorization headers will not be included in a redirected request\" applied only to the URL-userinfo Basic-auth path, not to headers passed explicitly by the caller.","modified":"2026-07-10T03:54:14.487144085Z","published":"2026-07-07T17:41:48.989Z","related":["openSUSE-SU-2026:11219-1"],"database_specific":{"cna_assigner":"CPANSec","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7017.json","cwe_ids":["CWE-522"]},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/07/07/13"},{"type":"WEB","url":"https://cpan.org/modules"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7017.json"},{"type":"ADVISORY","url":"https://metacpan.org/release/HAARG/HTTP-Tiny-0.095-TRIAL/changes"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-7017"},{"type":"REPORT","url":"https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/pull/36"},{"type":"FIX","url":"https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/84984ef3930ddd4afcf5eb83b40d3cee200739c3.patch"},{"type":"FIX","url":"https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/8f32ca89e21c3ad0422adc698fa6ad17a193f55f.patch"},{"type":"FIX","url":"https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/e7a03aedf2395158f2b0d3bad2df943349227bb3.patch"},{"type":"PACKAGE","url":"https://github.com/Perl-Toolchain-Gang/HTTP-Tiny"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/perl-toolchain-gang/http-tiny","events":[{"introduced":"0"},{"fixed":"fb410436ac6bd435d893d3ca34e575a1523d5ebb"},{"fixed":"84984ef3930ddd4afcf5eb83b40d3cee200739c3"},{"fixed":"8f32ca89e21c3ad0422adc698fa6ad17a193f55f"},{"fixed":"e7a03aedf2395158f2b0d3bad2df943349227bb3"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"0.095"}],"source":["DESCRIPTION","REFERENCES"]}}],"versions":["release-0.094","release-0.093","release-0.092","release-0.091","release-0.090","release-0.089","release-0.088","release-0.086","release-0.084","release-0.083","release-0.082","release-0.081","release-0.080","release-0.079","release-0.078","release-0.077","release-0.076","release-0.075","release-0.074","release-0.073","release-0.071","release-0.070","release-0.069","release-0.068","release-0.067","release-0.065","release-0.064","release-0.063","release-0.061","release-0.059","release-0.058","release-0.057","release-0.056","release-0.055","release-0.054","release-0.053","release-0.052","release-0.051","release-0.050","release-0.049","release-0.048","release-0.047","release-0.046","release-0.045","release-0.044","release-0.043","release-0.042","release-0.041","release-0.040","release-0.039","release-0.038","release-0.037","release-0.036","release-0.035","release-0.034","release-0.033","release-0.032","release-0.031","release-0.030","release-0.029","release-0.028","release-0.027","release-0.026","release-0.025","release-0.024","release-0.023","release-0.022","release-0.021","release-0.020","release-0.019","release-0.018","release-0.017","release-0.016","release-0.015","release-0.014","release-0.013","release-0.012","release-0.011","release-0.010","release-0.009","release-0.008","release-0.007","release-0.006","release-0.005","release-0.004","release-0.003","release-0.002","release-0.001"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-7017.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"}]}