PatchSiren cyber security CVE debrief
CVE-2026-15076 Eclipse Foundation CVE debrief
CVE-2026-15076 is a high-severity vulnerability in Eclipse Vert.x Web Client that allows attackers to inject cookies scoped to arbitrary third-party domains. This issue arises from the WebClientSession component's failure to validate the Domain attribute of a Set-Cookie response header, violating RFC 6265 section 5.3. An attacker controlling any server contacted by the victim application can exploit this to inject a cookie scoped to a targeted domain. When the victim application sends a request to the targeted domain using the same WebClientSession, it presents the attacker-injected cookie, allowing the attacker to process the request under their own account. Sensitive data in the victim's requests, such as payment amounts or API payloads, may then be accessible to the attacker.
- Vendor
- Eclipse Foundation
- Product
- Eclipse Vert.x
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-14
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-07-14
- Advisory updated
- 2026-07-14
Who should care
Developers and administrators using Eclipse Vert.x Web Client versions up to and including 4.5.29 (4.x branch) and 5.1.4 (5.x branch) should be aware of this vulnerability. Applications that handle sensitive data, such as payment information or authentication credentials, are particularly at risk. Security teams should prioritize patching or mitigating this vulnerability to prevent potential attacks.
Technical summary
The WebClientSession component of Eclipse Vert.x Web Client does not validate the Domain attribute of a Set-Cookie response header, allowing an attacker to inject a cookie scoped to an arbitrary third-party domain. This occurs because the session store performs no cross-domain ownership check, storing and transmitting the injected cookie to the targeted domain. When the victim application subsequently sends a request to the targeted domain using the same WebClientSession, it presents the attacker-injected cookie, enabling the attacker to process the request under their own account.
Defensive priority
High
Recommended defensive actions
- Apply patches or updates to Eclipse Vert.x Web Client to version 4.5.30 or later (4.x branch) and 5.1.5 or later (5.x branch).
- Implement additional security measures, such as validating the Domain attribute of Set-Cookie response headers, to mitigate the vulnerability in affected versions.
- Monitor applications that use Eclipse Vert.x Web Client for suspicious activity, such as unexpected cookie injection or requests to targeted domains.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
Evidence notes
The CVE record was published on 2026-07-14T09:16:40.313Z and has not been modified since then. The NVD entry is currently in the 'Received' status. Limited information is available about the vulnerability's impact and affected systems.
Official resources
-
CVE-2026-15076 CVE record
CVE.org
-
CVE-2026-15076 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T09:16:40.313Z and has not been modified since then. The NVD entry is currently Received.