Authentication Bypass Vulnerability in Arduino Core for ESP32 by Espressif
CVE-2026-42855

7.5HIGH

Key Information:

Vendor: Espressif
Status: Arduino-esp32
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-42855?

The Arduino core for ESP32 products, including versions for ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6, and ESP32-H2, was found to have an authentication vulnerability. Prior to version 3.3.8, the implementation of WebServer Digest authentication inadequately handled authorization by computing the authentication hash based on the URI field from the client’s Authorization header without ensuring it matched the requested URI. This flaw permits an attacker, who has a valid digest response for one URI, to bypass access controls and authenticate against another protected URI, potentially leading to exposure of sensitive resources.

Affected Version(s)

arduino-esp32 < 3.3.8

References

https://github.com/espressif/arduino-esp32/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 30, 2026

CVE-2026-42855 Data

JSON