PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44979 hapijs CVE debrief

CVE-2026-44979 is a MEDIUM severity vulnerability in @hapi/wreck, an HTTP client utility. Prior to version 18.1.1, the library improperly handles 3xx redirects, potentially exposing forward-proxy credentials to a host outside the original trust boundary when redirects are enabled. This issue arises because @hapi/wreck only strips the Authorization and Cookie headers during redirects, but not the Proxy-Authorization header, which may contain sensitive forward-proxy credentials. Users of @hapi/wreck, especially those using versions prior to 18.1.1, should be aware of this vulnerability and take steps to mitigate it, as it could lead to credential exposure. The vulnerability was addressed in version 18.1.1, and users are advised to update to this version or later to prevent potential credential exposure.

Vendor
hapijs
Product
wreck
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of @hapi/wreck, especially those using versions prior to 18.1.1, should be aware of this vulnerability and take steps to mitigate it, as it could lead to credential exposure. This includes developers and security teams responsible for maintaining and securing applications that utilize @hapi/wreck for HTTP client operations. Additionally, operators and platform administrators should review their environments for potential exposure and ensure that necessary updates or mitigations are applied.

Technical summary

The @hapi/wreck library, used for HTTP client operations, had a vulnerability where it would follow 3xx redirects to different hostnames. In doing so, it would strip only the Authorization and Cookie headers, but not the Proxy-Authorization header, which could contain forward-proxy credentials. This behavior could lead to the exposure of sensitive credentials to hosts outside the original trust boundary when the redirects option is enabled. The issue was addressed in version 18.1.1 by properly handling the Proxy-Authorization header during redirects.

Defensive priority

Medium priority should be given to updating @hapi/wreck to version 18.1.1 or later, especially in environments where redirects are commonly used or where credential exposure could have significant impacts.

Recommended defensive actions

  • Update @hapi/wreck to version 18.1.1 or later
  • Review and adjust redirect settings in applications using @hapi/wreck
  • Monitor for any unusual activity related to @hapi/wreck usage
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record and NVD entry provide details on the vulnerability. The fix is included in version 18.1.1 of @hapi/wreck. Users should verify their library versions and update as necessary. It's essential to review the official advisory for accurate affected scope, severity, and vendor guidance. Additionally, defenders should verify library usage in their environments and assess potential exposure.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T22:17:12.710Z and has not been modified since then.