CVE-2026-48998

Source
https://cve.org/CVERecord?id=CVE-2026-48998
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48998.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-48998
Aliases
Downstream
Related
Published
2026-06-11T12:34:32.397Z
Modified
2026-07-15T01:49:13.591269597Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
guzzlehttp/psr7 has Host Confusion via Authority Reinterpretation
Details

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 contain improper Host header validation when parsing raw HTTP request messages and when deriving a server request URI from server variables. An attacker can provide a malformed Host header containing URI authority delimiters, such as trusted.example@evil.example. When the Host value is used to construct a URI, the malformed value can be reinterpreted as URI userinfo and host. This can cause the PSR-7 request URI host to differ from the original Host header value. Applications are affected if they parse attacker-controlled raw HTTP requests with GuzzleHttp\Psr7\Message::parseRequest() or the legacy 1.x GuzzleHttp\Psr7\parse_request() function, or if they build server requests from attacker-controlled server variables, then rely on the resulting URI host for routing, allow-list checks, or forwarding decisions. In affected forwarding or gateway scenarios, this may cause requests or credentials to be sent to an unintended host. The issue is patched in 2.10.2. 1.x is end-of-life and will not receive a patch. Some workarounds are available. Validate the Host header as uri-host [ ":" port ] before calling Message::parseRequest() or legacy parse_request() on untrusted HTTP request data, or before deriving routing and forwarding decisions from a parsed request URI. Reject Host values containing userinfo, path, query, or fragment delimiters.

Database specific
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48998.json",
    "cwe_ids": [
        "CWE-20",
        "CWE-918"
    ]
}
References

Affected packages

Git / github.com/guzzle/psr7

Affected ranges

Type
GIT
Repo
https://github.com/guzzle/psr7
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:guzzlephp:psr-7:*:*:*:*:*:*:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.10.2"
        }
    ]
}

Affected versions

1.*
1.0.0
1.1.0
1.2.0
1.2.1
1.2.2
1.2.3
1.3.0
1.3.1
1.4.0
1.4.1
1.4.2
1.5.0
1.5.1
1.5.2
1.6.0
2.*
2.0.0
2.0.0-beta1
2.0.0-rc1
2.1.0
2.10.0
2.10.1
2.2.0
2.2.1
2.2.2
2.3.0
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.5.0
2.6.0
2.6.1
2.6.2
2.6.3
2.7.0
2.7.1
2.8.0
2.8.1
2.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48998.json"