Medium severity6.5NVD Advisory· Published May 12, 2026· Updated May 19, 2026
CVE-2026-8368
CVE-2026-8368
Description
LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects.
On a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are sent unchanged to the redirect target, including across scheme, host, or port changes.
A redirect to an attacker controlled host therefore discloses the caller's credentials to that host.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3- Range: <6.83
Patches
Vulnerability mechanics
References
5News mentions
0No linked articles in our index yet.