Cookie Injection Vulnerability in Guzzle PHP HTTP Client
CVE-2026-55767

5.8MEDIUM

Key Information:

Vendor

Guzzle

Status
Vendor
CVE Published:
23 June 2026

What is CVE-2026-55767?

The Guzzle PHP HTTP client contains a vulnerability that allows for cookie injection due to improper handling of cookies with dot-only Domain attributes and variances padded with whitespace. Specifically, prior to version 7.12.1, the CookieJar component accepted such cookies, leading to potential security risks where an attacker could exploit this misconfiguration. This could result in session fixation or cookie injection vulnerabilities impacting downstream services that utilize the same cookie jar. The vulnerability has been remedied in version 7.12.1, which strengthens cookie domain validation.

Affected Version(s)

guzzle < 7.12.1

References

CVSS V3.1

Score:
5.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.