CVE-2026-39807: CWE-807 Reliance on Untrusted Inputs in a Security Decision in mtrudel bandit
CVE-2026-39807 is a medium severity vulnerability in mtrudel bandit versions from 1. 0. 0 before 1. 11. 0. It involves reliance on untrusted inputs in a security decision, where the client-supplied URI scheme is trusted without verification of the actual transport security. This allows an unauthenticated attacker on a plaintext HTTP connection to spoof the transport state, causing the server to incorrectly treat the connection as secure (HTTPS). This misclassification can lead to insecure handling of cookies, incorrect logging, and bypass of security checks that depend on the connection being secure.
AI Analysis
Technical Summary
The vulnerability arises in the Elixir.Bandit.Pipeline module, specifically in the determine_scheme/2 function, which returns the client-supplied URI scheme verbatim without validating the transport's secure? flag. Attackers can exploit this by sending HTTP/1.1 absolute-form requests or HTTP/2 :scheme pseudo-headers over plaintext TCP connections, falsely indicating HTTPS. As a result, downstream components such as Plug.SSL may skip necessary HTTP to HTTPS redirects, cookies marked as secure may be sent over plaintext, audit logs may inaccurately record requests as secure, and CSRF or SameSite protections may be bypassed or misapplied. This affects bandit versions from 1.0.0 up to but not including 1.11.0.
Potential Impact
An attacker can cause the server to treat an insecure plaintext HTTP connection as if it were secure HTTPS. This can lead to sensitive cookies being transmitted without encryption, security mechanisms that rely on connection security being bypassed or misapplied, and inaccurate logging of request security status. This undermines the integrity of security decisions based on the connection scheme, potentially exposing users to session hijacking or other attacks relying on secure transport assumptions.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or remediation level is provided in the vendor advisory. Users should check the vendor's official advisory or repository for updates or patches addressing this issue. Until a fix is available, avoid relying solely on conn.scheme for security decisions and consider implementing additional verification of transport security at the application level.
CVE-2026-39807: CWE-807 Reliance on Untrusted Inputs in a Security Decision in mtrudel bandit
Description
CVE-2026-39807 is a medium severity vulnerability in mtrudel bandit versions from 1. 0. 0 before 1. 11. 0. It involves reliance on untrusted inputs in a security decision, where the client-supplied URI scheme is trusted without verification of the actual transport security. This allows an unauthenticated attacker on a plaintext HTTP connection to spoof the transport state, causing the server to incorrectly treat the connection as secure (HTTPS). This misclassification can lead to insecure handling of cookies, incorrect logging, and bypass of security checks that depend on the connection being secure.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises in the Elixir.Bandit.Pipeline module, specifically in the determine_scheme/2 function, which returns the client-supplied URI scheme verbatim without validating the transport's secure? flag. Attackers can exploit this by sending HTTP/1.1 absolute-form requests or HTTP/2 :scheme pseudo-headers over plaintext TCP connections, falsely indicating HTTPS. As a result, downstream components such as Plug.SSL may skip necessary HTTP to HTTPS redirects, cookies marked as secure may be sent over plaintext, audit logs may inaccurately record requests as secure, and CSRF or SameSite protections may be bypassed or misapplied. This affects bandit versions from 1.0.0 up to but not including 1.11.0.
Potential Impact
An attacker can cause the server to treat an insecure plaintext HTTP connection as if it were secure HTTPS. This can lead to sensitive cookies being transmitted without encryption, security mechanisms that rely on connection security being bypassed or misapplied, and inaccurate logging of request security status. This undermines the integrity of security decisions based on the connection scheme, potentially exposing users to session hijacking or other attacks relying on secure transport assumptions.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or remediation level is provided in the vendor advisory. Users should check the vendor's official advisory or repository for updates or patches addressing this issue. Until a fix is available, avoid relying solely on conn.scheme for security decisions and consider implementing additional verification of transport security at the application level.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-04-07T12:28:54.916Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f5124bcbff5d86105840e4
Added to database: 5/1/2026, 8:51:23 PM
Last enriched: 5/1/2026, 9:06:50 PM
Last updated: 5/1/2026, 9:56:05 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.