Session Management Flaw in Eclipse Vert.x Web Client Affects Cookie Handling
CVE-2026-15076

8.2HIGH

Key Information:

Vendor
CVE Published:
14 July 2026

What is CVE-2026-15076?

The WebClientSession component of the Eclipse Vert.x Web Client allows attackers to exploit a flaw in cookie handling. When the software processes Set-Cookie responses, it fails to ensure that the Domain attribute of these cookies corresponds to the original server's domain. This oversight permits an attacker controlling a different server to inject unauthorized cookies scoped to a third-party domain. Consequently, when the application employs the same WebClientSession to interact with the targeted domain, it may inadvertently transmit these malicious cookies, giving the attacker access to sensitive information such as payment data or API payloads under the guise of the victim’s session.

Affected Version(s)

Eclipse Vert.x 4.0.0 <= 4.5.29

Eclipse Vert.x 5.0.0 <= 5.1.4

References

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Julien Viet
.