Upstream information

CVE-2026-7017 at MITRE

Description

HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets.

When the server returns a 3xx redirect, `_maybe_redirect` follows the `Location:` header and `_prepare_headers_and_cb` re-merges the caller's `headers` argument into the new request, without checking whether the redirect target shares an origin with the original URL. Caller-supplied `Authorization`, `Cookie` and `Proxy-Authorization` headers are therefore re-sent to whatever host the redirect names, across scheme, host or port boundaries, and including `https` to `http` downgrades that expose them in plaintext on the wire.

The HTTP::Tiny POD note that "Authorization headers will not be included in a redirected request" applied only to the URL-userinfo Basic-auth path, not to headers passed explicitly by the caller.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v3 Scores
CVSS detail CNA (CISA-ADP)
Base Score 7.1
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality Impact High
Integrity Impact Low
Availability Impact None
CVSSv3 Version 3.1
SUSE Bugzilla entry: 1271020 [NEW]

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
openSUSE Tumbleweed
  • perl-HTTP-Tiny >= 0.096-2.1
Patchnames:
openSUSE-Tumbleweed-2026-11219


SUSE Timeline for this CVE

CVE page created: Wed Jul 8 11:35:18 2026
CVE page last modified: Thu Jul 9 11:23:33 2026