PatchSiren cyber security CVE debrief
CVE-2026-55767 Guzzlephp CVE debrief
CVE-2026-55767 is a medium-severity vulnerability in Guzzle, a PHP HTTP client. The vulnerability arises from the CookieJar component incorrectly accepting cookies with a dot-only Domain attribute and whitespace-padded variants. This issue allows an attacker-controlled origin to set a cookie that Guzzle later sends to unrelated hosts using the same jar, potentially leading to cookie injection or session fixation against downstream services. The vulnerability is fixed in Guzzle version 7.12.1. This issue has a CVSS score of 5.8 and is classified as MEDIUM severity.
- Vendor
- Guzzlephp
- Product
- Guzzle
- CVSS
- MEDIUM 5.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-23
- Original CVE updated
- 2026-06-26
- Advisory published
- 2026-06-23
- Advisory updated
- 2026-06-26
Who should care
Developers and administrators using Guzzle, especially in applications that handle sensitive data or user sessions, should be aware of this vulnerability. This vulnerability may allow attackers to inject cookies or fixate sessions, potentially leading to unauthorized access or data manipulation. Users of Guzzle should ensure they are running version 7.12.1 or later to mitigate this risk.
Technical summary
The vulnerability in Guzzle's CookieJar component stems from improper handling of cookies with dot-only Domain attributes and whitespace-padded variants. The SetCookie::matchesDomain() method removes leading dots from the cookie domain, normalizing dot-only values to an empty string. Meanwhile, SetCookie::validate() only rejects strictly empty domains. This discrepancy allows cookies with dot-only domains to be stored and treated as matching any request host. An attacker can exploit this by setting a cookie on an attacker-controlled origin, which Guzzle will then send to unrelated hosts using the same cookie jar. This could enable cookie injection or session fixation attacks against downstream services.
Defensive priority
Medium priority should be given to updating Guzzle to version 7.12.1 or later. In the meantime, defenders should monitor for suspicious cookie activity and consider implementing additional security measures to protect against potential cookie injection or session fixation attacks.
Recommended defensive actions
- Update Guzzle to version 7.12.1 or later
- Monitor for suspicious cookie activity
- Implement additional security measures to protect against cookie injection or session fixation attacks
- Review and update downstream services to handle injected cookies securely
- Consider using a Web Application Firewall (WAF) to detect and prevent suspicious cookie activity
Evidence notes
The CVE-2026-55767 vulnerability was publicly disclosed on June 23, 2026, and the NVD record was last modified on June 26, 2026. The vulnerability has a CVSS score of 5.8 and is classified as MEDIUM severity. The fix for this vulnerability is included in Guzzle version 7.12.1.
Official resources
-
CVE-2026-55767 CVE record
CVE.org
-
CVE-2026-55767 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
This article is AI-assisted and based on the supplied source corpus.