PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43972 ninenines CVE debrief

CVE-2026-43972 is an Origin Validation Error vulnerability in the gun_http2 module of ninenines gun. The vulnerability allows cross-origin cookie injection via unvalidated HTTP/2 PUSH_PROMISE authority. This occurs because the :authority pseudo-header from an incoming PUSH_PROMISE frame is stored verbatim into the promised stream record without checking that it matches the connection's origin. As a result, a malicious or compromised HTTP/2 server can plant cookies scoped to arbitrary third-party domains into the client's shared cookie store, enabling session fixation attacks against those domains and potentially resulting in account takeover.

Vendor
ninenines
Product
gun
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-08
Original CVE updated
2026-06-09
Advisory published
2026-06-08
Advisory updated
2026-06-09

Who should care

Users of ninenines gun (gun_http2 module) from version 2.0.0 before 2.4.0 should be aware of this vulnerability.

Technical summary

The vulnerability is caused by the lack of validation of the :authority pseudo-header in the gun_http2:push_promise_frame/7 function. This allows an attacker to inject cookies into the client's shared cookie store, potentially leading to session fixation attacks and account takeover.

Defensive priority

MEDIUM

Recommended defensive actions

  • Update to version 2.4.0 or later of ninenines gun (gun_http2 module) to fix the vulnerability.
  • Implement proper validation of the :authority pseudo-header in the gun_http2:push_promise_frame/7 function.

Evidence notes

The CVE-2026-43972 vulnerability was published on 2026-06-08T15:16:46.290Z and modified on 2026-06-09T15:20:13.097Z.

Official resources

CVE-2026-43972 was published on 2026-06-08T15:16:46.290Z and modified on 2026-06-09T15:20:13.097Z.