CVE-2026-55767— Guzzle: Dot-Only Cookie Domains Match All Hosts in guzzlehttp/guzzle
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-55767
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Guzzle: Dot-Only Cookie Domains Match All Hosts in guzzlehttp/guzzle
Source: NVD (National Vulnerability Database)
Vulnerability Description
Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, CookieJar incorrectly accepts cookies with a dot-only Domain attribute and whitespace-padded variants. SetCookie::matchesDomain() removes leading dots from the cookie domain, normalizing dot-only values to the empty string; SetCookie::validate() only rejected a strictly empty domain, so these cookies could be stored and the empty normalized domain was treated as matching any request host. An attacker-controlled origin that an application requests with a shared cookie jar can therefore set a cookie that Guzzle later sends to unrelated hosts using the same jar. This may allow cookie injection or session fixation against downstream services, depending on how those services interpret the injected cookie. This vulnerability is fixed in 7.12.1.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
源验证错误
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-55767
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-55767
请登录查看更多情报信息。
Other References for CVE-2026-55767 (1)
Same Patch Batch · guzzle · 2026-06-23 · 3 CVEs total
| CVE-2026-55568 | 5.9 MEDIUM | Guzzle: Silent HTTPS-Proxy Downgrade to Cleartext |
| CVE-2026-55766 | 4.8 MEDIUM | guzzlehttp/psr7: CRLF Injection in HTTP Start-Line Serialization |
IV. Related Vulnerabilities
Same product: guzzle
- CVE-2026-55568
Guzzle: Silent HTTPS-Proxy Downgrade to Cleartext - CVE-2022-31090
CURLOPT_HTTPAUTH option not cleared on change of origin in G - CVE-2022-31091
Change in port should be considered a change in origin in Gu - CVE-2022-31042
Failure to strip the Cookie header on change in host or HTTP - CVE-2022-31043
Fix failure to strip Authorization header on HTTP downgrade
Same vendor: guzzle
- CVE-2026-55766
guzzlehttp/psr7: CRLF Injection in HTTP Start-Line Serializa - CVE-2026-55568
Guzzle: Silent HTTPS-Proxy Downgrade to Cleartext - CVE-2026-53723
guzzlehttp/guzzle-services' XML Request Serialization Vulner - CVE-2026-49214
guzzlehttp/psr7 has CRLF Injection via URI Host Component - CVE-2026-48998
guzzlehttp/psr7 has Host Confusion via Authority Reinterpret
Same weakness: CWE-346
- CVE-2026-46611
Glances: XML-RPC Server Missing Host Header Validation Enabl - CVE-2026-55487
pnpm: manifest identity spoof satisfies allowBuilds and runs - CVE-2026-54030
LibreChat: Missing Resource Parameter Validation in MCP OAut - CVE-2026-54069
SiYuan: Unauthenticated Admin API Access via Blanket chrome- - CVE-2026-54007
Open WebUI: Cross-origin postMessage confirmation bypass via
V. Comments for CVE-2026-55767
No comments yet