{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "0"
              },
              {
                "fixed": "0.095"
              }
            ],
            "source": [
              "DESCRIPTION",
              "REFERENCES"
            ]
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "fb410436ac6bd435d893d3ca34e575a1523d5ebb"
            },
            {
              "fixed": "84984ef3930ddd4afcf5eb83b40d3cee200739c3"
            },
            {
              "fixed": "8f32ca89e21c3ad0422adc698fa6ad17a193f55f"
            },
            {
              "fixed": "e7a03aedf2395158f2b0d3bad2df943349227bb3"
            }
          ],
          "repo": "https://github.com/perl-toolchain-gang/http-tiny",
          "type": "GIT"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "CPANSec",
    "cwe_ids": [
      "CWE-522"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7017.json"
  },
  "details": "HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets.\n\nWhen the server returns a 3xx redirect, `_maybe_redirect` follows the `Location:` header and `_prepare_headers_and_cb` re-merges the caller's `headers` argument into the new request, without checking whether the redirect target shares an origin with the original URL. Caller-supplied `Authorization`, `Cookie` and `Proxy-Authorization` headers are therefore re-sent to whatever host the redirect names, across scheme, host or port boundaries, and including `https` to `http` downgrades that expose them in plaintext on the wire.\n\nThe HTTP::Tiny POD note that \"Authorization headers will not be included in a redirected request\" applied only to the URL-userinfo Basic-auth path, not to headers passed explicitly by the caller.",
  "id": "CVE-2026-7017",
  "modified": "2026-07-10T03:54:14.487144085Z",
  "published": "2026-07-07T17:41:48.989Z",
  "references": [
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/07/07/13"
    },
    {
      "type": "WEB",
      "url": "https://cpan.org/modules"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7017.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://metacpan.org/release/HAARG/HTTP-Tiny-0.095-TRIAL/changes"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7017"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/pull/36"
    },
    {
      "type": "FIX",
      "url": "https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/84984ef3930ddd4afcf5eb83b40d3cee200739c3.patch"
    },
    {
      "type": "FIX",
      "url": "https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/8f32ca89e21c3ad0422adc698fa6ad17a193f55f.patch"
    },
    {
      "type": "FIX",
      "url": "https://github.com/Perl-Toolchain-Gang/HTTP-Tiny/commit/e7a03aedf2395158f2b0d3bad2df943349227bb3.patch"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Perl-Toolchain-Gang/HTTP-Tiny"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets"
}