CVE-2026-33745 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the cpp-httplib library, a widely used C++11 single-file header-only HTTP/HTTPS client and server library. Versions prior to 0.39.0 improperly handle HTTP redirects by forwarding stored authentication credentials—including Basic Auth, Bearer Token, and Digest Auth—in the Authorization header to arbitrary hosts when following cross-origin HTTP redirects (status codes 301, 302, 307, 308). This behavior occurs because the client does not verify or restrict the destination of redirects before sending sensitive credentials. An attacker who controls or compromises a server that issues such redirects can cause the client to send its credentials to an attacker-controlled host, exposing plaintext authentication tokens. This flaw can be exploited without any user interaction or prior authentication, making it remotely exploitable over the network. The vulnerability impacts confidentiality and integrity by leaking sensitive credentials, potentially allowing attackers to impersonate users or gain unauthorized access to protected resources. The issue was addressed in cpp-httplib version 0.39.0 by modifying redirect handling to prevent forwarding credentials to untrusted or cross-origin hosts. No known exploits are reported in the wild as of the publication date. The CVSS v3.1 base score is 7.4 (High), reflecting the network attack vector, no privileges required, no user interaction, and high impact on confidentiality and integrity.

The primary impact of CVE-2026-33745 is the unauthorized disclosure of sensitive authentication credentials to attacker-controlled hosts via HTTP redirect chains. Organizations using vulnerable versions of cpp-httplib in their applications risk credential leakage, which can lead to unauthorized access to internal or external services, data breaches, and further lateral movement within networks. This exposure undermines the confidentiality and integrity of authentication mechanisms, potentially allowing attackers to impersonate legitimate users or services. Since cpp-httplib is a cross-platform library used in various C++ applications, the scope of affected systems can be broad, including embedded systems, IoT devices, desktop applications, and backend services. The vulnerability does not directly affect availability but can facilitate further attacks that degrade service. The ease of exploitation over the network without authentication or user interaction increases the threat level. Organizations relying on automated HTTP clients or microservices using cpp-httplib are especially vulnerable. The lack of known exploits in the wild suggests limited active exploitation currently, but the risk remains significant due to the nature of the flaw.

To mitigate CVE-2026-33745, organizations should immediately upgrade all instances of cpp-httplib to version 0.39.0 or later, where the vulnerability is fixed. If upgrading is not immediately feasible, implement strict validation of HTTP redirects in client code to ensure that Authorization headers are only sent to trusted or same-origin hosts. Developers should audit their use of cpp-httplib to identify any scenarios where cross-origin redirects might occur and disable automatic redirect following or strip Authorization headers on redirects to different origins. Employ network-level controls such as web application firewalls (WAFs) or proxy servers to detect and block suspicious redirect patterns that could lead to credential leakage. Additionally, consider implementing monitoring and alerting for unusual outbound HTTP requests containing Authorization headers to unknown or untrusted domains. Educate development teams about secure redirect handling and the risks of forwarding credentials across origins. Finally, perform regular security assessments and code reviews focusing on HTTP client behavior and authentication token management.