HTTP Client Utility Vulnerability in Hapi Wreck by Hapi.js
CVE-2026-48022

6.5MEDIUM

Key Information:

Vendor

Hapijs

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-48022?

Hapi Wreck, an HTTP client utility, has a vulnerability that can lead to the inadvertent exposure of user credentials. Prior to version 18.1.2, Wreck fails to adequately strip credential headers—such as Authorization, Cookie, and Proxy-Authorization—when following cross-origin redirects. This issue arises because the origin check only considers hostnames, neglecting to account for scheme and port differences. As a result, credentials may be forwarded across same-host port changes and from HTTPS to HTTP, facilitating potential attacks by adjacent tenants or network position attackers. They can capture sensitive information like bearer tokens and session cookies, leading to possible impersonation of users on upstream services. This vulnerability has been resolved in version 18.1.2.

Affected Version(s)

wreck < 18.1.2

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.