PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-54919 yhirose CVE debrief

The CVE-2026-54919 issue affects cpp-httplib, a C++11 single-file header-only cross-platform HTTP/HTTPS library. In Mbed TLS backend versions from 0.31.0 through 0.46.1 and wolfSSL backend versions from 0.33.0 through 0.46.1, when built with specific support flags and connecting to an IP-literal host with server certificate verification enabled, SSLClient, Client in HTTPS mode, and WebSocketClient on Mbed TLS backend skip or bypass certificate chain validation. This allows a man-in-the-middle attacker to present a crafted certificate and potentially read or modify traffic.

Vendor
yhirose
Product
cpp-httplib
CVSS
HIGH 7.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Developers and users of cpp-httplib, especially those using Mbed TLS or wolfSSL backends, should verify their library versions and update to 0.47.0 or later if necessary. This issue is particularly concerning for applications requiring secure communication over HTTPS or WebSocket connections.

Technical summary

cpp-httplib, a C++11 single-file header-only cross-platform HTTP/HTTPS library, has a vulnerability in its SSL/TLS certificate validation mechanism. Specifically, when built with CPPHTTPLIB_MBEDTLS_SUPPORT or CPPHTTPLIB_WOLFSSL_SUPPORT, and connecting to an IP-literal host with server certificate verification enabled, the library skips or bypasses certificate chain validation. This affects SSLClient and Client in HTTPS mode for both Mbed TLS and wolfSSL backends, as well as WebSocketClient on the Mbed TLS backend. The vulnerability allows a man-in-the-middle attacker positioned to intercept traffic to present a crafted certificate, potentially enabling the reading or modification of traffic. The issue is fixed in version 0.47.0.

Defensive priority

High priority should be given to updating cpp-httplib to version 0.47.0 or later, especially in applications where secure communication is critical. Developers should verify their library versions and implement compensating controls if immediate updates are not feasible.

Recommended defensive actions

  • Update cpp-httplib to version 0.47.0 or later
  • Verify library versions in use
  • Implement compensating controls for traffic interception if immediate updates are not feasible
  • Monitor for potential man-in-the-middle attacks
  • Review and update secure communication protocols

Evidence notes

The CVE record was published on 2026-07-10T17:16:58.700Z and was last modified on 2026-07-10T19:01:16.053Z. The NVD entry is currently Undergoing Analysis. Official details can be found in the CVE record and NVD entry.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T17:16:58.700Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.