SB2026021137 - Multiple vulnerabilities in libsoup

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2026-1539)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to library does not remove data from Proxy-Authorization header when following redirects. A remote attacker can gain access to sensitive information passed via the Proxy-Authorization header. 

2) CRLF injection (CVE-ID: CVE-2026-1536)

The vulnerability allows a remote attacker to inject arbitrary data in server response.

The vulnerability exists due to insufficient validation of attacker-supplied data. A remote attacker can pass specially crafted HTTP request ta to the application containing CR-LF characters and modify application behavior.

3) CRLF injection (CVE-ID: CVE-2026-1467)

The vulnerability allows a remote attacker to inject arbitrary data in server response.

The vulnerability exists due to insufficient validation of attacker-supplied data. A remote attacker can pass specially crafted HTTP request ta to the application containing CR-LF characters and modify application behavior.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://access.redhat.com/security/cve/CVE-2026-1539
• https://access.redhat.com/security/cve/CVE-2026-1536
• https://bugzilla.redhat.com/show_bug.cgi?id=2433834
• https://access.redhat.com/security/cve/CVE-2026-1467
• https://bugzilla.redhat.com/show_bug.cgi?id=2433174