CRLF injection in PSR-7 - CVE-2026-55766
Published: June 18, 2026
Vulnerability identifier: #VU134879
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-55766
CWE-ID: CWE-93
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Guzzle
Affected software:
PSR-7
PSR-7
Detailed vulnerability description
The vulnerability allows a remote attacker to inject arbitrary HTTP header lines.
The vulnerability exists due to improper neutralization of CRLF sequences in HTTP start-line fields when serializing PSR-7 messages as raw HTTP/1.x. A remote attacker can supply crafted method, protocol version, or reason phrase values to inject arbitrary HTTP header lines.
Exploitation requires attacker-controlled data to be placed into the request method, protocol version, or response reason phrase and for the malformed message to be serialized and processed by downstream software that does not independently reject the malformed start line.
How to mitigate CVE-2026-55766
Install security update from vendor's website.