Insufficient TLS Protection in Guzzle PHP HTTP Client
CVE-2026-55568
What is CVE-2026-55568?
The Guzzle PHP HTTP client, prior to version 7.12.1, is susceptible to inadequate TLS protection when configured with certain proxy settings. Under specific circumstances, traffic that should be encrypted when relayed through a proxy is transmitted in cleartext, exposing sensitive items such as proxy authentication credentials and the target host information for tunneled HTTPS requests. This issue arises when the application sends requests through Guzzle's built-in cURL handlers while using a proxy that employs an 'https://' URL. If the underlying libcurl version is older than 7.50.2, it interprets the secure proxy configuration as a non-secure plaintext one and fails to establish a TLS connection, resulting in unencrypted communication. This vulnerability is rectified in version 7.12.1.
Affected Version(s)
guzzle < 7.12.1
