CVE-2026-42855: CWE-287: Improper Authentication in espressif arduino-esp32
CVE-2026-42855 is a high-severity vulnerability in the arduino-esp32 core for ESP32 microcontrollers prior to version 3. 3. 8. The issue involves improper authentication in the WebServer Digest authentication implementation, where the server uses the URI from the client's Authorization header without verifying it matches the actual requested URI. This flaw allows an attacker with any valid digest response for one URI to authenticate requests to different protected URIs, bypassing per-resource access controls. The vulnerability is fixed in version 3. 3. 8.
AI Analysis
Technical Summary
The arduino-esp32 core for ESP32 microcontrollers versions before 3.3.8 contains an improper authentication vulnerability (CWE-287) in its WebServer Digest authentication mechanism. Specifically, the authentication hash is computed using the URI field from the client's Authorization header without verifying that it corresponds to the actual requested URI. This permits an attacker who has a valid digest response for one URI to reuse it to authenticate requests to other protected URIs, effectively bypassing per-resource access control restrictions. This vulnerability has a CVSS 3.1 base score of 7.5 (high severity) and is addressed by updating to version 3.3.8.
Potential Impact
An attacker can bypass per-resource access controls by reusing a valid digest authentication response intended for one URI to access other protected URIs. This compromises the intended authentication boundaries and could allow unauthorized access to sensitive resources. The vulnerability does not impact confidentiality beyond authentication bypass, nor does it affect integrity or availability directly.
Mitigation Recommendations
A fix is available in arduino-esp32 version 3.3.8. Users should upgrade to version 3.3.8 or later to remediate this vulnerability. Since this is a cloud service managed by the vendor, the vendor is responsible for patching the hosted service. Check the vendor advisory for confirmation of patch deployment status.
CVE-2026-42855: CWE-287: Improper Authentication in espressif arduino-esp32
Description
CVE-2026-42855 is a high-severity vulnerability in the arduino-esp32 core for ESP32 microcontrollers prior to version 3. 3. 8. The issue involves improper authentication in the WebServer Digest authentication implementation, where the server uses the URI from the client's Authorization header without verifying it matches the actual requested URI. This flaw allows an attacker with any valid digest response for one URI to authenticate requests to different protected URIs, bypassing per-resource access controls. The vulnerability is fixed in version 3. 3. 8.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The arduino-esp32 core for ESP32 microcontrollers versions before 3.3.8 contains an improper authentication vulnerability (CWE-287) in its WebServer Digest authentication mechanism. Specifically, the authentication hash is computed using the URI field from the client's Authorization header without verifying that it corresponds to the actual requested URI. This permits an attacker who has a valid digest response for one URI to reuse it to authenticate requests to other protected URIs, effectively bypassing per-resource access control restrictions. This vulnerability has a CVSS 3.1 base score of 7.5 (high severity) and is addressed by updating to version 3.3.8.
Potential Impact
An attacker can bypass per-resource access controls by reusing a valid digest authentication response intended for one URI to access other protected URIs. This compromises the intended authentication boundaries and could allow unauthorized access to sensitive resources. The vulnerability does not impact confidentiality beyond authentication bypass, nor does it affect integrity or availability directly.
Mitigation Recommendations
A fix is available in arduino-esp32 version 3.3.8. Users should upgrade to version 3.3.8 or later to remediate this vulnerability. Since this is a cloud service managed by the vendor, the vendor is responsible for patching the hosted service. Check the vendor advisory for confirmation of patch deployment status.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-30T16:44:48.379Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a03a7e4cbff5d86101ff976
Added to database: 5/12/2026, 10:21:24 PM
Last enriched: 5/12/2026, 10:36:25 PM
Last updated: 5/12/2026, 11:25:55 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.