Session Management Flaw in Eclipse Vert.x Web Client Affects Cookie Handling
CVE-2026-15076
What is CVE-2026-15076?
The WebClientSession component of the Eclipse Vert.x Web Client allows attackers to exploit a flaw in cookie handling. When the software processes Set-Cookie responses, it fails to ensure that the Domain attribute of these cookies corresponds to the original server's domain. This oversight permits an attacker controlling a different server to inject unauthorized cookies scoped to a third-party domain. Consequently, when the application employs the same WebClientSession to interact with the targeted domain, it may inadvertently transmit these malicious cookies, giving the attacker access to sensitive information such as payment data or API payloads under the guise of the victim’s session.
Affected Version(s)
Eclipse Vert.x 4.0.0 <= 4.5.29
Eclipse Vert.x 5.0.0 <= 5.1.4
