{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33745", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.562Z", "datePublished": "2026-03-27T00:46:48.941Z", "dateUpdated": "2026-03-27T00:46:48.941Z"}, "containers": {"cna": {"title": "cpp-httplib Client Leaks Authentication Credentials to Untrusted Hosts on Cross-Origin HTTP Redirect", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-6hrp-7fq9-3qv2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-6hrp-7fq9-3qv2"}], "affected": [{"vendor": "yhirose", "product": "cpp-httplib", "versions": [{"version": "< 0.39.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T00:46:48.941Z"}, "descriptions": [{"lang": "en", "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.39.0, the cpp-httplib HTTP client forwards stored Basic Auth, Bearer Token, and Digest Auth credentials to arbitrary hosts when following cross-origin HTTP redirects (301/302/307/308). A malicious or compromised server can redirect the client to an attacker-controlled host, which then receives the plaintext credentials in the `Authorization` header. Version 0.39.0 fixes the issue."}], "source": {"advisory": "GHSA-6hrp-7fq9-3qv2", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.39.0, the cpp-httplib HTTP client forwards stored Basic Auth, Bearer Token, and Digest Auth credentials to arbitrary hosts when following cross-origin HTTP redirects (301/302/307/308). A malicious or compromised server can redirect the client to an attacker-controlled host, which then receives the plaintext credentials in the `Authorization` header. Version 0.39.0 fixes the issue."}], "id": "CVE-2026-33745", "lastModified": "2026-03-27T01:16:21.167", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T01:16:21.167", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-6hrp-7fq9-3qv2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.39.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "cpp-httplib", "source": "cna", "vendor": "yhirose"}, "product": "cpp-httplib", "vendor": "yhirose"}], "analysis": {"en": {"generated_at": "2026-03-27T06:50:59.314627+00:00", "value": {"mitigation_remediation": ["Update cpp-httplib to version 0.39.0 or later", "Rebuild applications and dependent libraries to use the patched version", "If an upgrade is infeasible, configure the client to reject redirects to different origins or disable automatic redirection handling"], "summary": {"action": "Apply Patch", "impact": "Credential Exposure"}, "threat_synthesis": {"affected_systems": "The issue affects the yhirose:cpp\u2011httplib library in all releases older than 0.39.0. Projects that include the library as a header\u2011only dependency are at risk unless they have upgraded to the patched version. The library\u2019s single\u2011file nature means a simple inclusion of an old header can expose applications.", "description_and_impact": "The cpp-httplib HTTP client forwards Basic Auth, Bearer token, and Digest credentials to any host when following cross\u2011origin redirects (301, 302, 307, 308). This behavior allows an attacker who controls the redirect target to receive credentials sent in the Authorization header, potentially compromising authenticated sessions. The flaw falls under an information\u2011exposure weakness.", "risk_and_exploitability": "The CVSS score of 7.4 indicates high severity. No public exploitation reports are recorded and the vulnerability is not yet present in the CISA Known Exploited Vulnerabilities catalog, suggesting limited known usage. Nevertheless, any client communicating with a server that can issue a malicious redirect can be tricked into leaking credentials. The attack vector is a remote network attack relying on HTTP redirects, and the risk is significant for applications that rely on secure authentication."}}}}, "created": "2026-03-27T08:31:04.637486+00:00", "updated": "2026-03-27T09:22:27.031054+00:00", "vendors": ["yhirose", "yhirose$PRODUCT$cpp-httplib"]}