Log Forgery Vulnerability in Morgan Middleware by Express.js
CVE-2026-5078

5.3MEDIUM

Key Information:

Vendor: Morgan
Status: Morgan
Vendor: CVE Published:; 3 June 2026

What is CVE-2026-5078?

The Morgan middleware is susceptible to a log forgery vulnerability due to improper handling of control characters in the :remote-user token. When an attacker sends a specially crafted Authorization Basic header containing CR or LF bytes, it can lead to forged log entries. This compromises the integrity of access logs, allowing downstream log consumers to be misled. The vulnerability affects versions 1.2.0 to 1.10.1 and can be mitigated by upgrading to version 1.11.0 or by using a custom log format that omits the :remote-user reference.

Affected Version(s)

morgan 1.2.0 <= 1.10.1

morgan 1.11.0

References

https://github.com/expressjs/morgan/security/advisories/G...

https://cna.openjsf.org/security-advisories.html

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 3, 2026
Vulnerability Reserved
Mar 28, 2026

Credit

Yuki Matsuhashi

Ulises Gascón

Jon Church

CVE-2026-5078 Data

JSON