Vulnerability in Guzzle PSR-7 Library Allows Header Injection via User-Controlled URLs
CVE-2026-49214

5.3MEDIUM

Key Information:

Vendor

Guzzle

Status
Vendor
CVE Published:
11 June 2026

What is CVE-2026-49214?

The Guzzle PSR-7 HTTP message library prior to version 2.10.2 is susceptible to a header injection vulnerability. When an application processes user-controlled URLs to construct PSR-7 Uri or Request, certain ASCII control characters, whitespace, or DEL in the host component can be exploited. This flaw can result in an attacker injecting malicious headers into serialized requests. Affected applications include those utilizing user-controlled URLs for outbound requests, URL forwarding, and other request dispatch mechanisms. The issue can lead to severe consequences such as request smuggling or cache poisoning, particularly in environments with HTTP/1.1 connection reuse or through proxies and gateways. The recommended mitigation involves validating and rejecting all untrusted URI strings prior to constructing PSR-7 Uri or Request instances and ensuring that outbound HTTP clients properly handle invalid URI and header data.

Affected Version(s)

psr7 < 2.10.2

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.