CVE-2026-5119
Published: 30 March 2026
Summary
CVE-2026-5119 is a medium-severity Cleartext Transmission of Sensitive Information (CWE-319) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Web Session Cookie (T1539); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-8 (Transmission Confidentiality and Integrity) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-5119 by requiring timely identification, prioritization, and patching of the flaw in libsoup that exposes session cookies in cleartext.
Requires protection of confidentiality and integrity for transmitted information, preventing interception of sensitive session cookies sent in cleartext HTTP CONNECT requests through proxies.
Enforces secure configuration settings for HTTP clients using libsoup to restrict or configure proxy usage, avoiding exposure to untrusted proxies.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability exposes session cookies in cleartext CONNECT requests, directly enabling MITM interception (T1557) to steal web session cookies (T1539) for use as alternate authentication material (T1550.004) in session hijacking.
NVD Description
A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies,…
more
leading to potential session hijacking or user impersonation.
Deeper analysisAI
CVE-2026-5119 is a vulnerability in libsoup, a library used for HTTP client/server capabilities in GNOME applications. The flaw occurs when establishing HTTPS tunnels through a configured HTTP proxy, where sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. This exposes the cookies to interception, as documented under CWE-319 (Cleartext Transmission of Sensitive Information). The issue carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N), indicating medium severity with high confidentiality impact.
A network-positioned attacker or a malicious HTTP proxy can exploit this vulnerability by intercepting the cleartext cookies in the CONNECT request. Exploitation requires the victim to interact with a site using libsoup via an HTTP proxy (user interaction required) and involves high attack complexity, typically in scenarios like man-in-the-middle on untrusted networks. Successful interception enables session hijacking or user impersonation, allowing attackers to compromise user sessions without privileges.
Mitigation details are available in related advisories, including the Red Hat security bulletin at https://access.redhat.com/security/cve/CVE-2026-5119, Red Hat Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2452932, and the GNOME libsoup GitLab issue at https://gitlab.gnome.org/GNOME/libsoup/-/issues/502, which likely cover patches and workarounds for affected versions.
Details
- CWE(s)