Cross-Origin Credential Leakage in LWP::UserAgent by Perl
CVE-2026-8368

Currently unrated

Key Information:

Vendor

Oalders

Status
LWP::useragent
Vendor
CVE Published:
12 May 2026

What is CVE-2026-8368?

The LWP::UserAgent module in Perl is vulnerable to an issue involving the leakage of Authorization and Proxy-Authorization headers during cross-origin redirects. Specifically, when handling a 3xx response, the redirect logic incorrectly forwards the user-supplied credentials to potentially untrusted domains. This means that if a user is redirected to a malicious site, their sensitive information, including authentication credentials, can be disclosed. To protect against this issue, users should upgrade to LWP::UserAgent version 6.83 or later.

Affected Version(s)

LWP::UserAgent 0 < 6.83

References

https://github.com/libwww-perl/libwww-perl/commit/9c4aeb6...
patch
https://metacpan.org/release/OALDERS/libwww-perl-6.83/cha...
release-notes
https://github.com/libwww-perl/libwww-perl/pull/512
issue-tracking

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kai Aizen
.