PatchSiren cyber security CVE debrief
CVE-2026-48022 hapijs CVE debrief
CVE-2026-48022 is a MEDIUM severity vulnerability in @hapi/wreck, an HTTP client utility. The issue allows credentials to be forwarded intact across same-host port changes and HTTPS-to-HTTP downgrades, enabling a co-tenant on an adjacent port or a network-position attacker to capture bearer tokens, session cookies, and proxy credentials and impersonate the victim against the upstream service. This issue is fixed in version 18.1.2.
- Vendor
- hapijs
- Product
- wreck
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Defenders of applications using @hapi/wreck should review and update to version 18.1.2 if necessary, considering the potential impact on affected operators, platforms, and security teams, and ensuring that compensating controls are in place for credential protection, while also verifying inventory of affected systems and tracking exceptions for unusual credential usage.
Technical summary
The @hapi/wreck HTTP client utility has a vulnerability that strips credential headers, including Authorization, Cookie, and Proxy-Authorization, before following a cross-origin redirect. However, the origin check compares hostnames only and ignores scheme and port, allowing credentials to be forwarded intact across same-host port changes and HTTPS-to-HTTP downgrades. This enables a co-tenant on an adjacent port or a network-position attacker capable of forging a redirect to capture bearer tokens, session cookies, and proxy credentials and impersonate the victim against the upstream service.
Defensive priority
Medium priority due to the potential for credential capture and impersonation.
Recommended defensive actions
- Review and update @hapi/wreck to version 18.1.2 if necessary
- Monitor for and restrict unexpected redirects
- Implement compensating controls for credential protection
- Verify inventory of affected systems
- Exception tracking for unusual credential usage
Evidence notes
Evidence is based on official CVE and NVD records, as well as source references from GitHub. The CVE record was published on 2026-07-17T22:17:14.413Z and has not been modified since then. The NVD entry is currently 6.5 MEDIUM.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T22:17:14.413Z and has not been modified since then.