Information disclosure in Cpp-httplib - CVE-2026-33745
Published: April 24, 2026
Vulnerability identifier: #VU127465
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-33745
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cpp-httplib Project
Affected software:
Cpp-httplib
Cpp-httplib
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive credentials to an unauthorized host.
The vulnerability exists due to exposure of sensitive information to an unauthorized actor in ClientImpl::redirect() and redirect credential handling when following cross-origin HTTP redirects. A remote attacker can trigger a redirect to an attacker-controlled host to disclose sensitive credentials to an unauthorized host.
Requests are affected when redirect following is enabled and stored Basic Auth, Bearer Token, or Digest Auth credentials are configured. Cross-origin redirects may also cause credentials to be sent after an HTTPS-to-HTTP downgrade.
How to mitigate CVE-2026-33745
Install security update from vendor's website.