PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9678 undici CVE debrief

CVE-2026-9678 is a vulnerability in Undici's cache interceptor. The cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names. This allows a response containing one user's authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key. Affected applications are those that explicitly enable the cache interceptor in shared mode, forward Authorization headers upstream, and receive cacheable responses with non-canonical qualified private or no-cache directives.

Vendor
undici
Product
Unknown
CVSS
MEDIUM 5.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-25
Advisory published
2026-06-17
Advisory updated
2026-06-25

Who should care

Developers and administrators using Undici in shared-cache mode, especially those forwarding Authorization headers and receiving cacheable responses, should be aware of this vulnerability. Applications that use Undici's cache interceptor and handle authenticated requests may be impacted.

Technical summary

The vulnerability arises from Undici's cache interceptor mishandling Cache-Control headers with whitespace-padded qualified private or no-cache field names. This causes the interceptor to store responses that should not be cached, potentially exposing authenticated data to unauthorized users. The issue is addressed in Undici versions 7.28.0 and 8.5.0. Affected applications are those that explicitly enable the cache interceptor in shared mode, forward Authorization headers upstream, and receive cacheable responses with non-canonical qualified private or no-cache directives. The CVE record was published on 2026-06-17T18:18:06.050Z and was last modified on 2026-06-25T17:44:16.007Z.

Defensive priority

Medium priority due to the potential for unauthorized access to authenticated data.

Recommended defensive actions

  • Upgrade to Undici version 7.28.0 or 8.5.0
  • Disable shared-cache mode for traffic that includes Authorization headers
  • Avoid caching responses to authenticated requests
  • Add Vary: Authorization upstream
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record was published on 2026-06-17T18:18:06.050Z and was last modified on 2026-06-25T17:44:16.007Z. The NVD entry is currently Analyzed. The vulnerability allows a response containing one user's authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T18:18:06.050Z and has not been modified since then. The NVD entry is currently Analyzed.