Origin validation error in undici - CVE-2026-6734
Published: June 17, 2026
Vulnerability identifier: #VU134758
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-6734
CWE-ID: CWE-346
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Node.js
Affected software:
undici
undici
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information, modify request routing, and cause requests to be sent to the wrong origin.
The vulnerability exists due to origin validation error in Socks5ProxyAgent connection pool reuse when handling requests to multiple origins through a shared proxy agent. A remote user can trigger requests to a different origin through the reused pool to disclose sensitive information, modify request routing, and cause requests to be sent to the wrong origin.
Responses from the wrong origin may be trusted, and HTTPS requests may be silently downgraded to HTTP.
How to mitigate CVE-2026-6734
Install security update from vendor's website.