PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-15076 Eclipse Foundation CVE debrief

CVE-2026-15076 is a high-severity vulnerability in Eclipse Vert.x Web Client that allows attackers to inject cookies scoped to arbitrary third-party domains. This issue arises from the WebClientSession component's failure to validate the Domain attribute of a Set-Cookie response header, violating RFC 6265 section 5.3. An attacker controlling any server contacted by the victim application can exploit this to inject a cookie scoped to a targeted domain. When the victim application sends a request to the targeted domain using the same WebClientSession, it presents the attacker-injected cookie, allowing the attacker to process the request under their own account. Sensitive data in the victim's requests, such as payment amounts or API payloads, may then be accessible to the attacker.

Vendor
Eclipse Foundation
Product
Eclipse Vert.x
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-14
Original CVE updated
2026-07-14
Advisory published
2026-07-14
Advisory updated
2026-07-14

Who should care

Developers and administrators using Eclipse Vert.x Web Client versions up to and including 4.5.29 (4.x branch) and 5.1.4 (5.x branch) should be aware of this vulnerability. Applications that handle sensitive data, such as payment information or authentication credentials, are particularly at risk. Security teams should prioritize patching or mitigating this vulnerability to prevent potential attacks.

Technical summary

The WebClientSession component of Eclipse Vert.x Web Client does not validate the Domain attribute of a Set-Cookie response header, allowing an attacker to inject a cookie scoped to an arbitrary third-party domain. This occurs because the session store performs no cross-domain ownership check, storing and transmitting the injected cookie to the targeted domain. When the victim application subsequently sends a request to the targeted domain using the same WebClientSession, it presents the attacker-injected cookie, enabling the attacker to process the request under their own account.

Defensive priority

High

Recommended defensive actions

  • Apply patches or updates to Eclipse Vert.x Web Client to version 4.5.30 or later (4.x branch) and 5.1.5 or later (5.x branch).
  • Implement additional security measures, such as validating the Domain attribute of Set-Cookie response headers, to mitigate the vulnerability in affected versions.
  • Monitor applications that use Eclipse Vert.x Web Client for suspicious activity, such as unexpected cookie injection or requests to targeted domains.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record was published on 2026-07-14T09:16:40.313Z and has not been modified since then. The NVD entry is currently in the 'Received' status. Limited information is available about the vulnerability's impact and affected systems.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T09:16:40.313Z and has not been modified since then. The NVD entry is currently Received.