Cyber Resilience

CVE-2026-6734

HighUpdated

Published: 17 June 2026

Published
17 June 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0028 19.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6734 is a high-severity Origin Validation Error (CWE-346) vulnerability in Nodejs Undici. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 19.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin. All requests are dispatched through the pool connected to the first origin, regardless of the intended destination.…

more

This causes cross-origin request routing: credentials and request data intended for origin B are sent to origin A, responses from the wrong origin are trusted, and HTTPS requests may be silently downgraded to HTTP. Impacted users are applications that use Socks5ProxyAgent (directly or via setGlobalDispatcher) and make requests to more than one origin. This was introduced in undici 7.23.0 via PR #4385 and affects all versions through 8.1.0. Patches: Upgrade to undici v7.26.0 or v8.2.0. Workarounds: Use a separate Socks5ProxyAgent instance per origin, or avoid using Socks5ProxyAgent with multiple origins.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

Origin validation failure + silent HTTP downgrade enables adversary-in-the-middle scenarios when multiple origins are accessed via the shared SOCKS5 pool.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

nodejs
undici
7.23.0 — 7.28.0 · 8.0.0 — 8.2.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-940 CWE-346

Enforces verification of the source of a communication channel by requiring identification and authentication of services first.

addresses: CWE-346 CWE-940

Trusted path establishment enforces validation that the communication originates from and reaches only the intended trusted system components.

addresses: CWE-346 CWE-940

Enforces validation of the true origin of DNS responses via signatures and chain-of-trust mechanisms.

addresses: CWE-346 CWE-940

Mandates origin validation so that only legitimate endpoints can continue the authenticated session.

addresses: CWE-346

Enforces origin validation of name/address data, eliminating reliance on unverified or impersonated DNS sources.

References