Improper Host Header Validation in Guzzle HTTP Library
CVE-2026-48998

5.3MEDIUM

Key Information:

Vendor

Guzzle

Status
Vendor
CVE Published:
11 June 2026

What is CVE-2026-48998?

The Guzzle HTTP library, specifically versions prior to 2.10.2, is susceptible to improper validation of the Host header. This vulnerability allows attackers to manipulate raw HTTP request messages by providing malformed Host headers that contain URI authority delimiters, potentially affecting server request URIs constructed from server variables. When such malformed Host values are parsed, they can lead to unintended interpretations that diverge from the original Host header. As a result, applications that rely on these parsed URIs for routing or security checks may inadvertently forward requests to incorrect hosts. This issue is primarily a concern when applications handle untrusted HTTP request data using the affected parsing functions. Users are advised to implement validations on the Host header before processing it, as version 1.x is no longer supported and will not receive patches.

Affected Version(s)

psr7 < 2.10.2

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.