Back

Critical Credential Leakage Vulnerabilities in libwww-perl Affect Fedora and Ubuntu

Severity: High (Score: 70.5)

Sources: Linuxsecurity

Published: 2026-06-05 · Updated: 2026-06-05

Keywords: ubuntu, credential, leakage, libwww-perl, fedora, perl-libwww-perl, critical

Severity indicators: critical

Summary

Recent vulnerabilities in the libwww-perl library have been identified, affecting multiple Linux distributions including Fedora and Ubuntu. CVE-2026-8368, published on 2026-05-12, details a critical issue where Authorization headers could be leaked during cross-origin redirects. Fedora 43 has released a fix that strips these headers on such redirects to prevent credential leakage. Ubuntu's versions 26.04 LTS and earlier also face this exposure, allowing remote attackers to potentially access sensitive information. Users are advised to update their systems to the latest package versions to mitigate these risks. The vulnerabilities highlight the importance of secure handling of HTTP redirects in web applications. Both distributions have issued updates to address these issues, emphasizing the need for prompt action from system administrators. Key Points: • CVE-2026-8368 exposes sensitive information via Authorization headers in redirects. • Fedora 43 and multiple Ubuntu versions are affected, necessitating urgent updates. • Mitigations include stripping sensitive headers and refusing insecure redirects.

Detailed Analysis

**Impact** Users of Fedora 43 and multiple Ubuntu releases (26.04 LTS, 25.10, 24.04 LTS, 22.04 LTS) running libwww-perl are affected. The vulnerability risks unauthorized disclosure of sensitive credentials via HTTP redirects, potentially exposing Authorization headers to unintended hosts. This could lead to credential leakage impacting web clients and services relying on libwww-perl, with consequences for data confidentiality across affected Linux distributions globally. **Technical Details** The vulnerability (CVE-2026-8368) involves libwww-perl’s LWP::UserAgent incorrectly handling cross-origin HTTP redirects, allowing Authorization and Proxy-Authorization headers to be sent to different schemes, hosts, or ports. Attackers can exploit this by triggering redirects to capture sensitive headers. The fix includes stripping these headers on cross-origin redirects and refusing HTTPS to HTTP downgrades by default. Proof of concept and patches were developed by Stig Palmquist and reported by Kai Zen. No specific IOCs or malware tools are mentioned. **Recommended Response** Apply the Fedora 43 update to perl-libwww-perl version 6.83-1 and Ubuntu updates to libwww-perl versions 6.81-1ubuntu0.1 or later as applicable. Configure LWP::UserAgent to avoid allowing credentialed redirects or HTTPS to HTTP downgrades unless explicitly required. Monitor network traffic for unexpected Authorization headers sent to external hosts. No additional detection signatures or IOCs are provided in the reports.

Source articles (2)

  • Ubuntu 26.04 LTS libwww-perl Important Info Exposure Vuln USN-8378 — Linuxsecurity · 2026-06-03
    A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: libwww-perl could be made to expose sensitive in…
  • Fedora 43 perl-libwww-perl Critical Credential Leakage Fix CVE-2026 — Linuxsecurity · 2026-06-05
    Changes: 6.83 2026-05-12 11:41:48Z - LWP::UserAgent now strips Authorization and Proxy-Authorization headers on cross-origin redirects (a different scheme, host, or port) to prevent credential leakage…

Timeline

  • 2026-05-12 — CVE-2026-8368 published: A critical vulnerability in libwww-perl was disclosed, allowing credential leakage through redirects.
  • 2026-06-03 — Ubuntu security notice USN-8378 released: Ubuntu announced a security issue in libwww-perl affecting multiple versions, urging users to update.
  • 2026-06-05 — Fedora 43 update released: Fedora issued an update to libwww-perl, addressing the critical credential leakage vulnerability.

CVEs

  • CVE-2026-8368

Related entities

  • Data Breach (Attack Type)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • Fedora (Company)
  • Ubuntu (Company)
  • Libwww-perl (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed