CVE-2026-8368: CWE-522 Insufficiently Protected Credentials in OALDERS LWP::UserAgent
LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects. On a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are sent unchanged to the redirect target, including across scheme, host, or port changes. A redirect to an attacker controlled host therefore discloses the caller's credentials to that host.
AI Analysis
Technical Summary
The vulnerability in LWP::UserAgent before version 6.83 involves insufficient protection of credentials (CWE-522). Specifically, during HTTP 3xx redirects, the module strips only Host and Cookie headers but leaves Authorization and Proxy-Authorization headers intact. This results in these headers being sent to the redirect destination regardless of cross-origin changes, potentially exposing sensitive authentication credentials to unauthorized parties if the redirect target is malicious.
Potential Impact
An attacker controlling a redirect target can receive the caller's Authorization and Proxy-Authorization headers, leading to credential disclosure. This compromises confidentiality of authentication credentials used by the client application. There is no indication of known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch links are provided. Users should monitor the vendor or CPAN security advisories for updates. Until a fix is available, avoid following redirects to untrusted or attacker-controlled hosts when using vulnerable versions of LWP::UserAgent. Consider implementing manual redirect handling that strips sensitive headers or upgrading to version 6.83 or later once available.
CVE-2026-8368: CWE-522 Insufficiently Protected Credentials in OALDERS LWP::UserAgent
Description
LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects. On a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are sent unchanged to the redirect target, including across scheme, host, or port changes. A redirect to an attacker controlled host therefore discloses the caller's credentials to that host.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in LWP::UserAgent before version 6.83 involves insufficient protection of credentials (CWE-522). Specifically, during HTTP 3xx redirects, the module strips only Host and Cookie headers but leaves Authorization and Proxy-Authorization headers intact. This results in these headers being sent to the redirect destination regardless of cross-origin changes, potentially exposing sensitive authentication credentials to unauthorized parties if the redirect target is malicious.
Potential Impact
An attacker controlling a redirect target can receive the caller's Authorization and Proxy-Authorization headers, leading to credential disclosure. This compromises confidentiality of authentication credentials used by the client application. There is no indication of known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch links are provided. Users should monitor the vendor or CPAN security advisories for updates. Until a fix is available, avoid following redirects to untrusted or attacker-controlled hosts when using vulnerable versions of LWP::UserAgent. Consider implementing manual redirect handling that strips sensitive headers or upgrading to version 6.83 or later once available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-05-11T21:33:14.480Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0341f7cbff5d8610f900dd
Added to database: 5/12/2026, 3:06:31 PM
Last enriched: 5/12/2026, 3:22:25 PM
Last updated: 5/12/2026, 7:44:15 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.