Untrusted Input Vulnerability in Bandit by mtrudel
CVE-2026-39807

6.3MEDIUM

Key Information:

Vendor: Mtrudel
Status: Bandit
Vendor: CVE Published:; 1 May 2026

What is CVE-2026-39807?

The vulnerability in mtrudel's Bandit arises from its handling of client-supplied URI schemes without proper validation, enabling unauthenticated transport-state spoofing over plaintext HTTP connections. This flaw allows attackers to manipulate the conn.scheme variable, leading to potentially severe consequences for downstream Plug consumers. These affected components may inadvertently believe they are operating under secure conditions, resulting in the misdirected processing of requests, improper handling of secure cookies, and failures in security features like CSRF protections. The issue affects versions of Bandit from 1.0.0 up to 1.11.0.

Affected Version(s)

bandit 1.0.0 < 1.11.0

bandit ff2f829326cd5dcf7335939aef9775269d881e28 < 1.11.0

References

https://github.com/mtrudel/bandit/security/advisories/GHS...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-39807.html

https://osv.dev/vulnerability/EEF-CVE-2026-39807

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

Peter Ullrich

Mat Trudel

Jonatan Männchen

CVE-2026-39807 Data

JSON