The vulnerability identified as CVE-2026-28434 affects the yhirose cpp-httplib, a widely used C++11 single-file header-only HTTP/HTTPS library. In versions prior to 0.35.0, if a request handler throws a C++ exception and the application developer has not registered a custom exception handler via the set_exception_handler() API, the library internally catches the exception and writes the exception's message directly into the HTTP response header named EXCEPTION_WHAT. This header is included in the response sent back to the client that made the request, without any authentication or authorization checks. The default behavior is enabled by default, meaning developers unaware of this feature may inadvertently ship servers that leak internal exception messages to any requesting client. These exception messages may contain sensitive information such as internal logic details, file paths, or other debugging data that could assist attackers in understanding the server's internal workings. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). It does not require user interaction, authentication, or complex attack vectors to exploit, making it relatively easy to trigger. The issue was addressed and fixed in cpp-httplib version 0.35.0 by changing this behavior, presumably by requiring explicit opt-in for exception message exposure or by suppressing such messages in responses. No known exploits have been reported in the wild as of the publication date, but the risk remains for applications using affected versions without mitigation.

The primary impact of this vulnerability is the unintended disclosure of sensitive internal exception messages to any unauthenticated client making HTTP requests to a server using the vulnerable cpp-httplib versions. This information leakage can aid attackers in reconnaissance by revealing internal server logic, error conditions, file paths, or other sensitive debugging information. Such intelligence can facilitate further targeted attacks, including exploitation of other vulnerabilities or crafting of more effective social engineering or injection attacks. Although this vulnerability does not directly allow code execution or denial of service, the confidentiality breach can compromise the security posture of affected organizations. The scope of impact includes any organization deploying server applications built with cpp-httplib versions prior to 0.35.0 that do not implement a custom exception handler. Given the library's cross-platform nature and popularity in C++ projects, the vulnerability could affect a broad range of industries and geographies. The ease of exploitation and lack of required authentication increase the risk, especially for publicly accessible services.

Organizations should immediately identify any applications using cpp-httplib versions earlier than 0.35.0. The most effective mitigation is to upgrade to cpp-httplib version 0.35.0 or later, where this vulnerability is fixed. If upgrading is not immediately feasible, developers should implement a custom exception handler using the set_exception_handler() API to prevent exception messages from being included in HTTP response headers. Additionally, server administrators should review and restrict access to sensitive endpoints and consider implementing web application firewalls (WAFs) to detect and block suspicious requests that may trigger exceptions. Logging and monitoring should be enhanced to detect unusual patterns that could indicate exploitation attempts. Developers should also audit their code to ensure that exception handling does not leak sensitive information through other channels. Finally, educating development teams about secure exception handling practices in cpp-httplib is recommended to prevent similar issues.