Cookie Injection Vulnerability in Guzzle PHP HTTP Client
CVE-2026-55767
5.8MEDIUM
What is CVE-2026-55767?
The Guzzle PHP HTTP client contains a vulnerability that allows for cookie injection due to improper handling of cookies with dot-only Domain attributes and variances padded with whitespace. Specifically, prior to version 7.12.1, the CookieJar component accepted such cookies, leading to potential security risks where an attacker could exploit this misconfiguration. This could result in session fixation or cookie injection vulnerabilities impacting downstream services that utilize the same cookie jar. The vulnerability has been remedied in version 7.12.1, which strengthens cookie domain validation.
Affected Version(s)
guzzle < 7.12.1
