PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48022 hapijs CVE debrief

CVE-2026-48022 is a MEDIUM severity vulnerability in @hapi/wreck, an HTTP client utility. The issue allows credentials to be forwarded intact across same-host port changes and HTTPS-to-HTTP downgrades, enabling a co-tenant on an adjacent port or a network-position attacker to capture bearer tokens, session cookies, and proxy credentials and impersonate the victim against the upstream service. This issue is fixed in version 18.1.2.

Vendor
hapijs
Product
wreck
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Defenders of applications using @hapi/wreck should review and update to version 18.1.2 if necessary, considering the potential impact on affected operators, platforms, and security teams, and ensuring that compensating controls are in place for credential protection, while also verifying inventory of affected systems and tracking exceptions for unusual credential usage.

Technical summary

The @hapi/wreck HTTP client utility has a vulnerability that strips credential headers, including Authorization, Cookie, and Proxy-Authorization, before following a cross-origin redirect. However, the origin check compares hostnames only and ignores scheme and port, allowing credentials to be forwarded intact across same-host port changes and HTTPS-to-HTTP downgrades. This enables a co-tenant on an adjacent port or a network-position attacker capable of forging a redirect to capture bearer tokens, session cookies, and proxy credentials and impersonate the victim against the upstream service.

Defensive priority

Medium priority due to the potential for credential capture and impersonation.

Recommended defensive actions

  • Review and update @hapi/wreck to version 18.1.2 if necessary
  • Monitor for and restrict unexpected redirects
  • Implement compensating controls for credential protection
  • Verify inventory of affected systems
  • Exception tracking for unusual credential usage

Evidence notes

Evidence is based on official CVE and NVD records, as well as source references from GitHub. The CVE record was published on 2026-07-17T22:17:14.413Z and has not been modified since then. The NVD entry is currently 6.5 MEDIUM.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T22:17:14.413Z and has not been modified since then.