CVE-2026-5119
Description
A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies, leading to potential session hijacking or user impersonation.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Description libsoup: libsoup: Information disclosure via cleartext transmission of cookies during HTTPS tunnel establishment Red Hat statement Moderate impact. This flaw in libsoup allows sensitive session cookies to be transmitted in cleartext within the initial HTTP CONNECT request when establishing HTTPS tunnels through a configured HTTP proxy. A network-positioned attacker or a malicious HTTPโฆ
Description
libsoup: libsoup: Information disclosure via cleartext transmission of cookies during HTTPS tunnel establishment
Red Hat statement
Moderate impact. This flaw in libsoup allows sensitive session cookies to be transmitted in cleartext within the initial HTTP CONNECT request when establishing HTTPS tunnels through a configured HTTP proxy. A network-positioned attacker or a malicious HTTP proxy could intercept these cookies, potentially leading to session hijacking or user impersonation. This affects Red Hat Enterprise Linux systems configured to use an HTTP proxy for HTTPS connections.
CVSS v3: 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat Enterprise Linux 10 | libsoup3-0:3.6.5-3.el10_1.11 | RHSA-2026:15968 | 2026-05-11T00:00:00Z |
| Red Hat Enterprise Linux 10 | libsoup3-0:3.6.5-3.el10_2.11 | RHSA-2026:19143 | 2026-05-19T00:00:00Z |
| Red Hat Enterprise Linux 10.0 Extended Update Support | libsoup3-0:3.6.5-3.el10_0.15 | RHSA-2026:17482 | 2026-05-14T00:00:00Z |
| Red Hat Enterprise Linux 8 | libsoup-0:2.62.3-14.el8_10 | RHSA-2026:14087 | 2026-05-06T00:00:00Z |
| Red Hat Enterprise Linux 8 | libsoup-0:2.62.3-14.el8_10 | RHSA-2026:14087 | 2026-05-06T00:00:00Z |
| Red Hat Enterprise Linux 9 | libsoup-0:2.72.0-12.el9_7.6 | RHSA-2026:13978 | 2026-05-06T00:00:00Z |
| Red Hat Enterprise Linux 9 | libsoup-0:2.72.0-16.el9_8.1 | RHSA-2026:19356 | 2026-05-19T00:00:00Z |
| Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions | libsoup-0:2.72.0-8.el9_0.10 | RHSA-2026:21686 | 2026-05-28T00:00:00Z |
| Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions | libsoup-0:2.72.0-8.el9_2.11 | RHSA-2026:22316 | 2026-06-01T00:00:00Z |
| Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions | libsoup-0:2.72.0-8.el9_4.10 | RHSA-2026:22323 | 2026-06-01T00:00:00Z |
| Red Hat Enterprise Linux 9.6 Extended Update Support | libsoup-0:2.72.0-10.el9_6.7 | RHSA-2026:22317 | 2026-06-01T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 6 | libsoup | Out of support scope |
| Red Hat Enterprise Linux 7 | libsoup | Affected |
Apply commands
yum update -y libsoup3
# or:
dnf upgrade -y libsoup3Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | Red Hat Enterprise Linux 7 | Affected |
OS impact
Debian Affected 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Affected | โ |
| sid | Affected | โ |
| forky | Affected | โ |
| bullseye | Affected | โ |
| bookworm | Affected | โ |
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Red Hat Mixed 6 releases
| Version | Status | Fixed in |
|---|---|---|
| 10.0 | Affected | โ |
| 9.0 | Affected | โ |
| 9 | Fixed | โ |
| 8.0 | Affected | โ |
| 8 | Fixed | โ |
| 7.0 | Affected | โ |
AlmaLinux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | libsoup-devel-2.72.0-16.el9_8.1.aarch64.rpm |
Rocky Linux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | โ |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| gnome | libsoup | - | |
References
- https://access.redhat.com/errata/RHSA-2026:13978
- https://access.redhat.com/errata/RHSA-2026:19356
- https://access.redhat.com/errata/RHSA-2026:14087
- https://access.redhat.com/errata/RHSA-2026:15968
- https://access.redhat.com/errata/RHSA-2026:17482
- https://access.redhat.com/errata/RHSA-2026:19143
- https://access.redhat.com/security/cve/CVE-2026-5119
- https://bugzilla.redhat.com/show_bug.cgi?id=2452932
- https://gitlab.gnome.org/GNOME/libsoup/-/issues/502
- https://security-tracker.debian.org/tracker/CVE-2026-5119
- https://www.suse.com/security/cve/CVE-2026-5119.html
- https://bugzilla.redhat.com/2452932
- https://errata.almalinux.org/8/ALSA-2026-14087.html
- https://errata.almalinux.org/9/ALSA-2026-13978.html
- https://errata.almalinux.org/9/ALSA-2026-19356.html
- https://access.redhat.com/errata/RHSA-2026:21686
- https://errata.rockylinux.org/RLSA-2026:13978
- https://access.redhat.com/errata/RHSA-2026:22316
- https://access.redhat.com/errata/RHSA-2026:22323
- https://access.redhat.com/errata/RHSA-2026:22317
- https://access.redhat.com/errata/RHSA-2026:22710
- https://access.redhat.com/errata/RHSA-2026:22716
CWEs
CWE-319
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.