Insufficient TLS Protection in Guzzle PHP HTTP Client
CVE-2026-55568

5.9MEDIUM

Key Information:

Vendor

Guzzle

Status
Vendor
CVE Published:
23 June 2026

What is CVE-2026-55568?

The Guzzle PHP HTTP client, prior to version 7.12.1, is susceptible to inadequate TLS protection when configured with certain proxy settings. Under specific circumstances, traffic that should be encrypted when relayed through a proxy is transmitted in cleartext, exposing sensitive items such as proxy authentication credentials and the target host information for tunneled HTTPS requests. This issue arises when the application sends requests through Guzzle's built-in cURL handlers while using a proxy that employs an 'https://' URL. If the underlying libcurl version is older than 7.50.2, it interprets the secure proxy configuration as a non-secure plaintext one and fails to establish a TLS connection, resulting in unencrypted communication. This vulnerability is rectified in version 7.12.1.

Affected Version(s)

guzzle < 7.12.1

References

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.