CVE-2026-8368 OALDERS CVE debrief

Who should care

Organizations running Perl applications that use LWP::UserAgent for HTTP requests with authentication, particularly those that may follow redirects to external or untrusted hosts. This includes web scraping tools, API clients, and automation scripts.

Technical summary

LWP::UserAgent in libwww-perl before version 6.83 fails to strip Authorization and Proxy-Authorization headers when following HTTP 3xx redirects. The redirect handler only removes Host and Cookie headers before issuing follow-up requests, leaving authentication credentials intact. This behavior persists across scheme changes (HTTP to HTTPS), host changes, and port changes. An attacker who can induce a redirect to a controlled host—through open redirect vulnerabilities, compromised legitimate sites, or man-in-the-middle attacks—can capture these credentials. The vulnerability affects any Perl application using LWP::UserAgent with explicit authentication headers that follows redirects. The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N indicates network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, and high confidentiality impact with no integrity or availability impact.

Defensive priority

medium

Recommended defensive actions

• Upgrade to LWP::UserAgent version 6.83 or later to remediate the credential disclosure vulnerability.
• Review applications using LWP::UserAgent for any reliance on custom redirect handling that may need adjustment after upgrading.
• Audit HTTP client configurations to ensure sensitive headers are not inadvertently preserved across redirects in other libraries.

Evidence notes

The vulnerability was disclosed on 2026-05-12 and modified on 2026-05-19. The fix is available in libwww-perl 6.83. The issue was discussed in oss-security and addressed via GitHub pull requests.

Official resources