SB2026042464 - openEuler 24.03 LTS update for cpp-httplib
Published: April 24, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2026-33745)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive credentials to an unauthorized host.
The vulnerability exists due to exposure of sensitive information to an unauthorized actor in ClientImpl::redirect() and redirect credential handling when following cross-origin HTTP redirects. A remote attacker can trigger a redirect to an attacker-controlled host to disclose sensitive credentials to an unauthorized host.
Requests are affected when redirect following is enabled and stored Basic Auth, Bearer Token, or Digest Auth credentials are configured. Cross-origin redirects may also cause credentials to be sent after an HTTPS-to-HTTP downgrade.
2) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-34441)
CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to smuggle arbitrary HTTP requests.
The vulnerability exists due to inconsistent interpretation of HTTP requests in the static file handler and request parsing logic when processing GET requests with a body on HTTP/1.1 keep-alive connections or requests containing both Content-Length and Transfer-Encoding headers. A remote attacker can send a specially crafted GET request with an embedded HTTP request to smuggle arbitrary HTTP requests.
When deployed behind a reverse proxy, the issue can enable proxy-backend desynchronization and proxy-level access control bypass.
Remediation
Install update from vendor's website.