CVE-2026-33745
Published: 27 March 2026
Summary
CVE-2026-33745 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Yhirose Cpp-Httplib. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 19.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely identification, reporting, and remediation of flaws such as CVE-2026-33745 in cpp-httplib to prevent credential leakage to arbitrary hosts via cross-origin redirects.
RA-5 uses vulnerability scanning to detect deployments of vulnerable cpp-httplib versions affected by CVE-2026-33745 before exploitation occurs.
SI-5 ensures receipt and implementation of security advisories like GHSA-6hrp-7fq9-3qv2 for CVE-2026-33745, prompting patching of the credential-forwarding flaw.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables theft of application access tokens and other HTTP credentials (Basic Auth, Bearer, Digest) by leaking Authorization headers to attacker-controlled hosts during cross-origin redirects.
NVD Description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.39.0, the cpp-httplib HTTP client forwards stored Basic Auth, Bearer Token, and Digest Auth credentials to arbitrary hosts when following cross-origin HTTP redirects (301/302/307/308). A malicious or compromised…
more
server can redirect the client to an attacker-controlled host, which then receives the plaintext credentials in the `Authorization` header. Version 0.39.0 fixes the issue.
Deeper analysisAI
CVE-2026-33745 affects cpp-httplib, a C++11 single-file header-only cross-platform HTTP/HTTPS library, in versions prior to 0.39.0. The vulnerability resides in the HTTP client, which inadvertently forwards stored Basic Auth, Bearer Token, and Digest Auth credentials to arbitrary hosts during cross-origin HTTP redirects (status codes 301, 302, 307, or 308). This exposure allows credentials embedded in the Authorization header to be leaked to unintended destinations.
Remote attackers can exploit this issue by controlling or compromising a server that issues a redirect to the client. When the cpp-httplib client follows the redirect, it sends the plaintext credentials to the attacker's host, enabling credential theft. The attack requires high complexity due to the need for precise redirect control but requires no privileges or user interaction from the victim.
The GitHub security advisory (GHSA-6hrp-7fq9-3qv2) confirms that upgrading to version 0.39.0 resolves the issue by preventing the forwarding of credentials across origins during redirects. Practitioners should audit dependencies using cpp-httplib and apply the patch promptly.
Details
- CWE(s)