CVE-2026-3099

CWE-3238 documents8 sources
Severity
7.3HIGH
EPSS
0.4%
top 39.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat Enterprise Linux
Timeline
PublishedMar 12

Description

A flaw was found in Libsoup. The server-side digest authentication implementation in the SoupAuthDomainDigest class does not properly track issued nonces or enforce the required incrementing nonce-count (nc) attribute. This vulnerability allows a remote attacker to capture a single valid authentication header and replay it repeatedly. Consequently, the attacker can bypass authentication and gain unauthorized access to protected resources, impersonating the legitimate user.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:LExploitability: 1.6 | Impact: 3.7

Affected Packages0 packages

Also affects: Enterprise Linux 10.0, 6.0, 7.0, 8.0, 9.0

๐Ÿ”ดVulnerability Details

3
CVEList
Libsoup: libsoup: authentication bypass via digest authentication replay attackโ†—2026-03-12
โ–ถ
GHSA
GHSA-hrf3-6c7v-5628: A flaw was found in Libsoupโ†—2026-03-12
โ–ถ
OSV
CVE-2026-3099: A flaw was found in Libsoupโ†—2026-03-12
โ–ถ

๐Ÿ“‹Vendor Advisories

3
Microsoft
Libsoup: libsoup: authentication bypass via digest authentication replay attackโ†—2026-03-10
โ–ถ
Red Hat
libsoup: Libsoup: Authentication bypass via digest authentication replay attackโ†—2026-02-24
โ–ถ
Debian
CVE-2026-3099: libsoup2.4 - A flaw was found in Libsoup. The server-side digest authentication implementatio...โ†—2026
โ–ถ

๐Ÿ•ต๏ธThreat Intelligence

1
Wiz
CVE-2026-3099 Impact, Exploitability, and Mitigation Steps | Wizโ†—
โ–ถ