CVE-2026-15075

Source
https://cve.org/CVERecord?id=CVE-2026-15075
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-15075.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-15075
Published
2026-07-14T08:15:53.650Z
Modified
2026-07-16T03:45:26.228474461Z
Severity
  • 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
[none]
Details

In Eclipse Vert.x versions up to and including 4.5.29 (4.x branch) and 5.1.4 (5.x branch), DefaultRedirectHandler (vertx-core) propagates all request headers as-is across cross-origin HTTP 30x redirects. Only Content-Length is stripped; no origin comparison (scheme, host, port) is performed before copying headers to the redirect target. As a result, credential headers, including Authorization, Cookie, Proxy-Authorization, and arbitrary custom headers such as X-API-Token, are forwarded to the redirect destination without the caller's knowledge.

An attacker who can cause a Vert.x HttpClient to issue a request that is redirected to an attacker-controlled host (for example, by supplying a URL to a webhook dispatcher, image proxy, or microservice URL fetcher) can capture bearer tokens, basic-auth credentials, session cookies, and API keys attached to the original request.

Database specific
{
    "cwe_ids": [
        "CWE-200",
        "CWE-346"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/15xxx/CVE-2026-15075.json",
    "cna_assigner": "eclipse"
}
References

Affected packages

Git / github.com/eclipse-vertx/vert.x

Affected ranges

Type
GIT
Repo
https://github.com/eclipse-vertx/vert.x
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "4.0.0"
        },
        {
            "last_affected": "4.5.29"
        },
        {
            "introduced": "5.0.0"
        },
        {
            "last_affected": "5.1.4"
        }
    ],
    "source": "AFFECTED_FIELD"
}
Type
GIT
Repo
https://github.com/vert-x3/vertx-web
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Introduced
Last affected
Database specific
{
    "cpe": "cpe:2.3:a:eclipse:vert.x:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.5.29"
        },
        {
            "introduced": "5.0.0"
        },
        {
            "last_affected": "5.1.4"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

3.*
3.0.0
3.0.0-milestone2
3.0.0-milestone3
3.0.0-milestone4
3.0.0-milestone5
3.0.0-milestone6
3.1.0
3.2.0
3.2.1
3.3.0
3.3.0.CR2
3.3.1
3.3.2
3.3.3
3.4.0
3.4.0.Beta1
3.4.1
3.4.2
3.5.0
3.5.1
3.6.0
3.6.0.CR1
3.6.0.CR2
4.*
4.0.0
4.0.0-milestone1
4.0.0-milestone2
4.0.0-milestone4
4.0.0-milestone5
4.0.0.Beta1
4.0.0.Beta3
4.0.0.CR1
4.0.0.CR2
4.0.1
4.0.2
4.0.3
4.1.0
4.1.0.Beta1
4.1.0.CR1
4.1.0.CR2
4.1.1
4.2.0
4.2.0.Beta1
4.2.0.CR1
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5
4.4.0
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.5.0
4.5.1
4.5.10
4.5.11
4.5.12
4.5.13
4.5.14
4.5.15
4.5.16
4.5.17
4.5.18
4.5.19
4.5.2
4.5.20
4.5.21
4.5.22
4.5.23
4.5.24
4.5.25
4.5.26
4.5.27
4.5.28
4.5.29
4.5.3
4.5.4
4.5.5
4.5.6
4.5.7
4.5.8
4.5.9
5.*
5.0.0
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-15075.json"