CVE-2026-32627
Published: 16 March 2026
Summary
CVE-2026-32627 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Yhirose Cpp-Httplib. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of the flaw in cpp-httplib prior to 0.37.2, preventing the silent disabling of TLS certificate verification on proxied HTTPS redirects.
Mandates establishment of certificate policies and validation mechanisms to ensure TLS certificates are properly verified, directly countering the improper certificate validation in redirected HTTPS connections.
Implements cryptographic protections for transmission confidentiality and integrity, mitigating interception risks from unverified certificates in cpp-httplib HTTPS redirects though not addressing the library flaw itself.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in redirect handling with proxy directly enables successful Adversary-in-the-Middle positioning by disabling TLS verification, allowing traffic interception and manipulation.
NVD Description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.2, when a cpp-httplib client is configured with a proxy and set_follow_location(true), any HTTPS redirect it follows will have TLS certificate and hostname verification silently disabled on the…
more
new connection. The client will accept any certificate presented by the redirect target — expired, self-signed, or forged — without raising an error or notifying the application. A network attacker in a position to return a redirect response can fully intercept the follow-up HTTPS connection, including any credentials or session tokens in flight. This vulnerability is fixed in 0.37.2.
Deeper analysisAI
CVE-2026-32627 affects cpp-httplib, a C++11 single-file header-only cross-platform HTTP/HTTPS library, in versions prior to 0.37.2. The vulnerability arises when a cpp-httplib client is configured with a proxy and has set_follow_location(true) enabled. In this scenario, any HTTPS redirect followed by the client silently disables TLS certificate and hostname verification on the new connection, causing the client to accept any presented certificate—whether expired, self-signed, or forged—without error or application notification.
A network attacker positioned to return a redirect response can exploit this issue. By controlling the redirect, the attacker achieves full interception of the subsequent HTTPS connection, including any credentials or session tokens transmitted. The CVSS 3.1 score of 8.7 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N) reflects a network-accessible attack requiring high complexity, no privileges or user interaction, with changed scope and high impacts to confidentiality and integrity.
The GitHub security advisory at https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-c3h8-fqq4-xm4g details the issue and confirms it is fixed in version 0.37.2. Security practitioners should upgrade to 0.37.2 or later and review applications using cpp-httplib with proxy configurations and automatic redirect following, mapped to CWE-295 (Improper Certificate Validation).
Details
- CWE(s)