Cyber Resilience

CVE-2026-5119

MediumPublic PoCUpdated

Published: 30 March 2026

Published
30 March 2026
Modified
09 June 2026
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
EPSS Score 0.0025 16.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-5119 is a medium-severity Cleartext Transmission of Sensitive Information (CWE-319) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Web Session Cookie (T1539); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-8 (Transmission Confidentiality and Integrity) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-5119 is a vulnerability in libsoup, a library used for HTTP client/server capabilities in GNOME applications. The flaw occurs when establishing HTTPS tunnels through a configured HTTP proxy, where sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. This exposes the cookies to interception, as documented under CWE-319 (Cleartext Transmission of Sensitive Information). The issue carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N), indicating medium severity with high confidentiality impact.

A network-positioned attacker or a malicious HTTP proxy can exploit this vulnerability by intercepting the cleartext cookies in the CONNECT request. Exploitation requires the victim to interact with a site using libsoup via an HTTP proxy (user interaction required) and involves high attack complexity, typically in scenarios like man-in-the-middle on untrusted networks. Successful interception enables session hijacking or user impersonation, allowing attackers to compromise user sessions without privileges.

Mitigation details are available in related advisories, including the Red Hat security bulletin at https://access.redhat.com/security/cve/CVE-2026-5119, Red Hat Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2452932, and the GNOME libsoup GitLab issue at https://gitlab.gnome.org/GNOME/libsoup/-/issues/502, which likely cover patches and workarounds for affected versions.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw was found in libsoup. When establishing HTTPS tunnels through a configured HTTP proxy, sensitive session cookies are transmitted in cleartext within the initial HTTP CONNECT request. A network-positioned attacker or a malicious HTTP proxy can intercept these cookies,…

more

leading to potential session hijacking or user impersonation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

Vulnerability exposes session cookies in cleartext CONNECT requests, directly enabling MITM interception (T1557) to steal web session cookies (T1539) for use as alternate authentication material (T1550.004) in session hijacking.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3099Same product: Gnome Libsoup
CVE-2026-4271Same product: Gnome Libsoup
CVE-2026-2436Same product: Gnome Libsoup
CVE-2025-14087Same product: Redhat Enterprise Linux
CVE-2026-5201Same product: Redhat Enterprise Linux
CVE-2026-3012Same product: Redhat Enterprise Linux
CVE-2026-32309Shared CWE-319
CVE-2025-23060Shared CWE-319
CVE-2026-6276Shared CWE-319
CVE-2024-13872Shared CWE-319

Affected Assets

gnome
libsoup
all versions
redhat
enterprise linux
10.0, 7.0, 8.0, 9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-5119 by requiring timely identification, prioritization, and patching of the flaw in libsoup that exposes session cookies in cleartext.

prevent

Requires protection of confidentiality and integrity for transmitted information, preventing interception of sensitive session cookies sent in cleartext HTTP CONNECT requests through proxies.

prevent

Enforces secure configuration settings for HTTP clients using libsoup to restrict or configure proxy usage, avoiding exposure to untrusted proxies.

References