Improper Cache Handling Vulnerability in Undici by Node.js
CVE-2026-9678

5.9MEDIUM

Key Information:

Vendor: Undici
Status: Undici
Vendor: CVE Published:; 17 June 2026

What is CVE-2026-9678?

A vulnerability in the Undici HTTP client allows for improper cache handling, where responses containing sensitive user data may be incorrectly cached and served to unauthorized users. This occurs when the cache interceptor is enabled in shared mode and forwards Authorization headers while handling responses with non-canonical cache directives. As a result, a user’s authenticated information can be exposed to subsequent requests from other users, potentially leading to significant privacy breaches. To mitigate this risk, users should upgrade to the latest versions of Undici or implement workarounds such as disabling shared-cache mode for Authorization-requesting traffic.

Affected Version(s)

undici 7.0.0 < 7.28.0

undici 8.0.0 < 8.5.0

undici 7.28.0

References

https://github.com/nodejs/undici/security/advisories/GHSA...

https://cna.openjsf.org/security-advisories.html

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
May 27, 2026

Credit

mcollina

UlisesGascon

AndrewMohawk

CVE-2026-9678 Data

JSON