CVE-2026-5119 is a vulnerability identified in the libsoup library used by Red Hat Enterprise Linux 10. The issue arises during the establishment of HTTPS tunnels via a configured HTTP proxy. Normally, HTTPS tunnels use the HTTP CONNECT method to create a secure channel through the proxy, after which encrypted communication occurs. However, due to this flaw, sensitive session cookies are included in cleartext within the initial HTTP CONNECT request before the secure tunnel is fully established. This exposure allows an attacker positioned on the network path or a malicious HTTP proxy to intercept these cookies. Since session cookies often contain authentication tokens, their interception can lead to session hijacking or user impersonation attacks. The vulnerability has a CVSS v3.1 base score of 5.9, reflecting medium severity, with a vector indicating network attack vector, high attack complexity, no privileges required, user interaction required, unchanged scope, high confidentiality impact, low integrity impact, and no availability impact. No public exploits are known at this time, but the vulnerability poses a significant risk in environments where HTTP proxies are used to tunnel HTTPS traffic, especially in enterprise settings relying on Red Hat Enterprise Linux 10. The flaw highlights a critical design oversight in how sensitive data is handled during the proxy tunnel setup phase.

The primary impact of CVE-2026-5119 is the potential compromise of session confidentiality. Intercepted session cookies can allow attackers to hijack user sessions, leading to unauthorized access to sensitive systems or data. This can result in user impersonation, data leakage, and potential lateral movement within an organization’s network. Although the integrity and availability impacts are low or none, the confidentiality breach alone can have severe consequences, especially in environments handling sensitive or regulated data. Organizations using HTTP proxies to tunnel HTTPS traffic on Red Hat Enterprise Linux 10 are at risk, particularly if attackers have network access or control over proxy infrastructure. The requirement for user interaction and high attack complexity somewhat limits exploitation, but targeted attacks against high-value users or systems remain a concern. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability is widely known.

To mitigate CVE-2026-5119, organizations should apply any available patches or updates from Red Hat addressing the libsoup vulnerability as soon as they are released. In the absence of patches, consider disabling or avoiding the use of HTTP proxies for HTTPS tunneling where possible. Network administrators should monitor and restrict proxy configurations to trusted devices only and implement network segmentation to limit attacker access to proxy traffic. Employing encrypted proxy protocols or VPNs can reduce exposure of sensitive data during proxy communication. Additionally, enforcing multi-factor authentication (MFA) can mitigate the impact of session hijacking by requiring additional verification beyond stolen cookies. Regularly auditing proxy logs for unusual CONNECT requests and monitoring for anomalous session activity can help detect exploitation attempts. Educating users about the risks of interacting with untrusted networks or proxies can also reduce the likelihood of successful attacks. Finally, consider deploying endpoint detection and response (EDR) solutions to identify suspicious session hijacking behaviors.