CVE-2026-34226
published 2026-03-27CVE-2026-34226: Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current…
PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.46%
36.4th percentile
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| capricorn86 | happy-dom | < 20.8.9 | 20.8.9 |
| capricorn86 | happy-dom | >= 0 < 20.8.9 | 20.8.9 |
| capricorn86 | happy_dom | < 20.8.9 | 20.8.9 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Happy DOM's fetch credentials include uses page-origin cookies instead of target-origin cookies
ghsa·2026-03-29
CVE-2026-34226 [HIGH] CWE-201 Happy DOM's fetch credentials include uses page-origin cookies instead of target-origin cookies
Happy DOM's fetch credentials include uses page-origin cookies instead of target-origin cookies
### Summary
`happy-dom` may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used. This can leak cookies from origin A to destination B.
### Details
In [`packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.ts`](https://github.com/capricorn86/happy-dom/blob/f8d8cad41e9722fab9eefb9dfb3cca696462e908/packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.ts) (`getRequestHeaders()`), cookie selection is performed with `originURL`:
```ts
const originURL = new URL(options.window.location.href);
const isCORS = FetchCORSUtility.isCORS(originURL, options.request[PropertySymbol.url]);
OSV
Happy DOM's fetch credentials include uses page-origin cookies instead of target-origin cookies
osv·2026-03-29
CVE-2026-34226 [HIGH] Happy DOM's fetch credentials include uses page-origin cookies instead of target-origin cookies
Happy DOM's fetch credentials include uses page-origin cookies instead of target-origin cookies
### Summary
`happy-dom` may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used. This can leak cookies from origin A to destination B.
### Details
In [`packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.ts`](https://github.com/capricorn86/happy-dom/blob/f8d8cad41e9722fab9eefb9dfb3cca696462e908/packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.ts) (`getRequestHeaders()`), cookie selection is performed with `originURL`:
```ts
const originURL = new URL(options.window.location.href);
const isCORS = FetchCORSUtility.isCORS(originURL, options.request[PropertySymbol.url]);
Red Hat
happy-dom: Happy DOM: Information disclosure via incorrect cookie handling in fetch requests
vendor_redhat·2026-03-27·CVSS 7.5
CVE-2026-34226 [HIGH] CWE-201 happy-dom: Happy DOM: Information disclosure via incorrect cookie handling in fetch requests
happy-dom: Happy DOM: Information disclosure via incorrect cookie handling in fetch requests
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.
A flaw was found in Happy DOM, a JavaScript implementation of a web browser without its graphical user interface. This vulnerability allows for information disclosure where cookies from the current page's origin can be inadvertently attached to network requests made to a different destination. This occurs when the `fetch` function is used
No detection rules found.
No public exploits indexed.
https://github.com/capricorn86/happy-dom/blob/f8d8cad41e9722fab9eefb9dfb3cca696462e908/packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.tshttps://github.com/capricorn86/happy-dom/commit/68324c21d7b98f53f7bb5a7b3e185bda7106e751https://github.com/capricorn86/happy-dom/pull/2117https://github.com/capricorn86/happy-dom/releases/tag/v20.8.9https://github.com/capricorn86/happy-dom/security/advisories/GHSA-w4gp-fjgq-3q4ghttps://access.redhat.com/security/cve/CVE-2026-34226https://bugzilla.redhat.com/show_bug.cgi?id=2452519https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34226.json
2026-03-27
Published