Cross-Origin Header Propagation in Eclipse Vert.x Affects Security of User Credentials
CVE-2026-15075

8.2HIGH

Key Information:

Vendor
CVE Published:
14 July 2026

What is CVE-2026-15075?

In specific versions of Eclipse Vert.x, a significant vulnerability exists due to the improper handling of cross-origin HTTP redirects by the DefaultRedirectHandler. This issue allows sensitive request headers such as Authorization tokens, session cookies, and arbitrary custom headers to be forwarded to potentially malicious redirect destinations without the user’s awareness. As a result, attackers can exploit this flaw by redirecting requests through compromised endpoints, enabling unauthorized access to user credentials and sensitive data.

Affected Version(s)

Eclipse Vert.x 4.0.0 <= 4.5.29

Eclipse Vert.x 5.0.0 <= 5.1.4

References

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.