CVE-2026-34226
Published: 27 March 2026
Summary
CVE-2026-34226 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Capricorn86 Happy Dom. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Web Session Cookie (T1539); ranked at the 16.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-8 (System Component Inventory).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of the specific flaw in Happy DOM by patching to version 20.8.9 or later to prevent cookie leakage across origins.
Enables vulnerability scanning to identify deployments using vulnerable Happy DOM versions affected by CVE-2026-34226.
Maintains an inventory of system components including third-party libraries like Happy DOM, supporting prioritization of flaw remediation for this CVE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables malicious JS (T1059.007) to trigger cross-origin fetch that leaks web session cookies (T1539) due to incorrect credential attachment logic.
NVD Description
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })`…
more
is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.
Deeper analysisAI
Happy DOM, a JavaScript library implementing a web browser environment without a graphical user interface, contains a vulnerability in versions prior to 20.8.9. The flaw causes the library to incorrectly attach cookies from the current page origin (window.location) rather than the request target URL when using fetch with the { credentials: "include" } option. This misbehavior enables unintended cookie leakage from one origin (A) to another (B), violating same-origin policy expectations for credentials. The issue is tracked as CVE-2026-34226 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-201 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-359 (Exposure of Private Personal Information to an Unauthorized Entity).
Attackers can exploit this vulnerability remotely without privileges or user interaction by controlling content on a page that uses vulnerable Happy DOM and inducing a fetch request to their target origin with credentials included. For instance, in environments like server-side rendering, testing frameworks (e.g., Jest), or Node.js applications leveraging Happy DOM for DOM manipulation, an attacker could inject malicious JavaScript to trigger the faulty fetch behavior. Successful exploitation allows the attacker to exfiltrate sensitive cookies tied to the victim's origin, potentially enabling session hijacking, account takeover, or further reconnaissance if those cookies hold authentication tokens or other confidential data.
The official GitHub security advisory (GHSA-w4gp-fjgq-3q4g) and release notes for version 20.8.9 detail the patch, which corrects the cookie attachment logic in FetchRequestHeaderUtility.ts via commit 68324c21d7b98f53f7bb5a7b3e185bda7106e751 and pull request #2117. Security practitioners should upgrade to Happy DOM 20.8.9 or later, audit dependencies for vulnerable versions, and review fetch usage in applications relying on this library to ensure credentials are not inadvertently included in cross-origin requests.
Details
- CWE(s)