Main Vulnerability Database Vulnerabilities #VU134755

Use of cache containing sensitive information in undici - CVE-2026-9678

Published: June 17, 2026

Vulnerability identifier: #VU134755

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-9678

CWE-ID: CWE-524

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Node.js

Affected software:
undici

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to use of cache containing sensitive information in the cache interceptor when processing responses with whitespace-padded qualified private or no-cache directives in the Cache-Control header. A remote attacker can send requests that resolve to the same cache key to disclose sensitive information.

Only applications that explicitly enable interceptors.cache() in shared-cache mode, forward Authorization headers upstream, and receive cacheable responses with non-canonical qualified directives are vulnerable.

How to mitigate CVE-2026-9678

Install security update from vendor's website.

Sources

https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6

Use of cache containing sensitive information in undici - CVE-2026-9678

Detailed vulnerability description

How to mitigate CVE-2026-9678

Sources

Please verify you're human