PatchSiren cyber security CVE debrief

CVE-2026-49214 guzzle CVE debrief

CVE-2026-49214 is a vulnerability in the Guzzle PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. This vulnerability can cause the serialized request to contain additional attacker-controlled header lines, potentially leading to request smuggling or cache poisoning.

Vendor: guzzle
Product: psr7
CVSS: MEDIUM 5.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-11
Original CVE updated: 2026-06-11
Advisory published: 2026-06-11
Advisory updated: 2026-06-11

Who should care

Developers and administrators using Guzzle PSR-7 HTTP message library in PHP, especially those who use user-controlled URLs for outbound HTTP requests, URL forwarding, proxying, crawling, webhook delivery, or similar request-dispatch flows.

Technical summary

The vulnerability exists in the Guzzle PSR-7 HTTP message library implementation in PHP, specifically in versions prior to 2.10.2. The issue arises when user-controlled URLs are used to construct PSR-7 `Uri` or `Request` instances, and the host component contains CRLF or another header-unsafe character. This can lead to the generation of malformed HTTP headers, potentially allowing attackers to inject additional headers.

Defensive priority

High

Recommended defensive actions

Upgrade to version 2.10.2 or later of the Guzzle PSR-7 HTTP message library.
Validate and reject all untrusted URI strings before constructing PSR-7 `Uri` or `Request` instances.
Reject input containing ASCII control characters, whitespace, or DEL, including CRLF, tab, space, NUL, or DEL characters.

Evidence notes

The vulnerability is patched in `2.10.2` and later. `1.x` is end-of-life and will not receive a patch.

Official resources

Publicly disclosed on 2026-06-11T13:16:33.300Z.