PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-33637 lostisland CVE debrief

CVE-2026-33637 describes a host-override flaw in Faraday's request-building logic. In affected versions, a URI object can trigger protocol-relative handling that bypasses the earlier February 2026 fix for GHSA-33mh-2634-fwr2. That can turn a request from a fixed-base Faraday::Connection into an off-host request forgery and may forward connection-scoped values such as Authorization headers and default query parameters. The issue is fixed in Faraday 2.14.3.

Vendor
lostisland
Product
faraday
CVSS
NONE
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-19
Original CVE updated
2026-05-21
Advisory published
2026-05-19
Advisory updated
2026-05-21

Who should care

Teams using Faraday with connection-level credentials, default query parameters, or any code path where request targets may be influenced by application data should review this immediately. The exposure is most relevant when URI objects are passed into request-building APIs or when the application assumes the connection base URL cannot be overridden.

Technical summary

The flaw affects Faraday::Connection#build_exclusive_url when the request target is provided as a URI object rather than a String. Versions 2.0.0 through 2.14.1 can allow protocol-relative host override, which bypasses the earlier GHSA-33mh-2634-fwr2 remediation. Because the request is built from an existing connection, the attacker-controlled host can receive connection-scoped data, including Authorization headers and default query parameters. The supplied source maps this issue to CWE-918 and identifies Faraday 2.14.3 as the fix.

Defensive priority

High for applications that use Faraday with sensitive defaults or credentials and any request path that may accept URI objects from untrusted or partially trusted input. Otherwise, prioritize patching during the next maintenance window, since the issue can defeat a prior mitigation and leak request-scoped data off-host.

Recommended defensive actions

  • Upgrade Faraday to 2.14.3 or later.
  • Audit code that passes URI objects into Faraday::Connection#build_exclusive_url or related request builders.
  • Avoid attaching long-lived Authorization headers or other sensitive defaults to connections that may be reused for dynamic destinations.
  • Add tests that verify the final request host cannot be changed away from the intended base URL.
  • Recheck any mitigation put in place for GHSA-33mh-2634-fwr2, because this CVE bypasses that earlier fix in the URI-object path.

Evidence notes

The supplied CVE description states the affected range (2.0.0 through 2.14.1), the bypass condition (URI object input to build_exclusive_url), the impact (off-host request forgery and forwarding of Authorization headers and default query parameters), and the fixed version (2.14.3). The NVD source item is marked 'Awaiting Analysis' and includes a zero-impact CVSS vector, so real-world priority should be based on how Faraday is used in the application rather than the database score alone.

Official resources

Publicly disclosed in the NVD/CVE record on 2026-05-19. The source corpus ties it to Faraday's security advisories, notes a bypass of the earlier GHSA-33mh-2634-fwr2 fix, and states that Faraday 2.14.3 contains the remediation.