PatchSiren cyber security CVE debrief
CVE-2026-15075 Eclipse Foundation CVE debrief
CVE-2026-15075 is a vulnerability in Eclipse Vert.x versions up to and including 4.5.29 (4.x branch) and 5.1.4 (5.x branch). The DefaultRedirectHandler (vertx-core) propagates all request headers as-is across cross-origin HTTP 30x redirects. Only Content-Length is stripped; no origin comparison (scheme, host, port) is performed before copying headers to the redirect target. This can lead to credential headers, including Authorization, Cookie, Proxy-Authorization, and arbitrary custom headers such as X-API-Token, being forwarded to the redirect destination without the caller's knowledge.
- Vendor
- Eclipse Foundation
- Product
- Eclipse Vert.x
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-14
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-07-14
- Advisory updated
- 2026-07-14
Who should care
Developers and administrators using Eclipse Vert.x for building web applications, especially those handling sensitive data or authentication, should be aware of this vulnerability. The exposure of sensitive headers during redirects can lead to unauthorized access or data breaches.
Technical summary
The DefaultRedirectHandler in Eclipse Vert.x propagates all request headers across cross-origin HTTP 30x redirects without proper origin comparison. This results in potential exposure of sensitive headers like Authorization, Cookie, and custom tokens. The issue exists in Vert.x versions up to 4.5.29 and 5.1.4. Affected deployments should assess their applications' use of DefaultRedirectHandler and consider implementing compensating controls. Limited information is available about affected products and versions beyond the Eclipse Vert.x project, so evidence-based verification is recommended.
Defensive priority
High priority should be given to updating affected versions of Eclipse Vert.x. Developers should assess their applications' use of DefaultRedirectHandler and consider implementing compensating controls, such as header stripping in redirects or validating redirect targets.
Recommended defensive actions
- Update to a patched version of Eclipse Vert.x (4.5.30 or later, 5.1.5 or later)
- Review and modify application code to use custom redirect handlers with proper header management
- Implement additional security measures, such as validating redirect targets and stripping sensitive headers
- Monitor applications for suspicious redirect behavior
- Perform an inventory of assets using Eclipse Vert.x to identify potential exposure
- Review system logs for evidence of exploitation attempts
- Consider implementing Web Application Firewalls (WAFs) to detect and prevent attacks
Evidence notes
The CVE record was published on 2026-07-14T09:16:40.180Z and has not been modified since then. The NVD entry is currently Received. Limited information is available about affected products and versions beyond the Eclipse Vert.x project.
Official resources
-
CVE-2026-15075 CVE record
CVE.org
-
CVE-2026-15075 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T09:16:40.180Z and has not been modified since then. The NVD entry is currently Received.