Cross-Origin Header Propagation in Eclipse Vert.x Affects Security of User Credentials
CVE-2026-15075
8.2HIGH
What is CVE-2026-15075?
In specific versions of Eclipse Vert.x, a significant vulnerability exists due to the improper handling of cross-origin HTTP redirects by the DefaultRedirectHandler. This issue allows sensitive request headers such as Authorization tokens, session cookies, and arbitrary custom headers to be forwarded to potentially malicious redirect destinations without the user’s awareness. As a result, attackers can exploit this flaw by redirecting requests through compromised endpoints, enabling unauthorized access to user credentials and sensitive data.
Affected Version(s)
Eclipse Vert.x 4.0.0 <= 4.5.29
Eclipse Vert.x 5.0.0 <= 5.1.4
