CVE-2026-39825
published 2026-05-07CVE-2026-39825: ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses…
PriorityP431medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.39%
31.0th percentile
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.
Affected
103 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3scale-amp2 | 3scale-rhel7-operator | — | — |
| 3scale-amp2 | 3scale-rhel9-operator | — | — |
| advanced-cluster-security | rhacs-main-rhel8 | — | — |
| ansible-automation-platform-26 | receptor-rhel9 | — | — |
| ansible-automation-platform | platform-operator-bundle | — | — |
| build-of-trustee | trustee-rhel9-operator | — | — |
| buildah_project | buildah | — | — |
| cert-manager | jetstack-cert-manager-rhel9 | — | — |
| compliance | openshift-compliance-operator-bundle | — | — |
| compliance | openshift-security-profiles-rhel8-operator | — | — |
| confidential-compute-attestation-tech-preview | trustee-rhel9-operator | — | — |
| confidential-containers | trustee | — | — |
| container-native-virtualization | kubevirt-apiserver-proxy-rhel9 | — | — |
| container-native-virtualization | virt-api-rhel9 | — | — |
| container-tools_rhel8 | buildah | — | — |
| container-tools_rhel8 | conmon | — | — |
| container-tools_rhel8 | podman | — | — |
| container-tools_rhel8 | skopeo | — | — |
| cryostat | cryostat-storage-rhel9 | — | — |
| custom-metrics-autoscaler | custom-metrics-autoscaler-rhel9 | — | — |
| devspaces | udi-rhel9 | — | — |
| devworkspace | devworkspace-rhel9-operator | — | — |
| dvo | deployment-validation-rhel8-operator | — | — |
| etcd | etcd | — | — |
| external-secrets-operator | external-secrets-rhel9 | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
net/http/httputil: golang: net/http/httputil: ReverseProxy forwards hidden query parameters, potentially bypassing security controls
vendor_redhat·2026-05-07·CVSS 5.3
CVE-2026-39825 [MEDIUM] CWE-472 net/http/httputil: golang: net/http/httputil: ReverseProxy forwards hidden query parameters, potentially bypassing security controls
net/http/httputil: golang: net/http/httputil: ReverseProxy forwards hidden query parameters, potentially bypassing security controls
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding i
VulDB
net-http-httputil up to 1.25.9/1.26.2 on Go Query Parameter Rewrite request smuggling (EUVD-2026-28425)
vuldb·2026-05-07
CVE-2026-39825 [LOW] net-http-httputil up to 1.25.9/1.26.2 on Go Query Parameter Rewrite request smuggling (EUVD-2026-28425)
A vulnerability classified as problematic was found in net-http-httputil up to 1.25.9/1.26.2 on Go. This impacts the function Rewrite of the component Query Parameter Handler. Executing a manipulation can lead to http request smuggling.
This vulnerability is tracked as CVE-2026-39825. The attack can be launched remotely. No exploit exists.
Upgrading the affected component is advised.
GHSA
GHSA-h74g-238j-357m: ReverseProxy can forward queries containing parameters not visible to Rewrite functions
ghsa_unreviewed·2026-05-07
CVE-2026-39825 [MEDIUM] GHSA-h74g-238j-357m: ReverseProxy can forward queries containing parameters not visible to Rewrite functions
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.
No detection rules found.
No public exploits indexed.
Rapid7
Patch Tuesday - May 2026
blogs_rapid7·2026-05-13·CVSS 10.0
CVE-2026-41089 [CRITICAL] Patch Tuesday - May 2026
Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.
## Windows Netlogon: critical RCE
Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089 , which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges
Bugzilla
CVE-2026-39825 net/http/httputil: golang: net/http/httputil: ReverseProxy forwards hidden query parameters, potentially bypassing security controls
bugzilla·2026-05-07·CVSS 5.3
CVE-2026-39825 [MEDIUM] CVE-2026-39825 net/http/httputil: golang: net/http/httputil: ReverseProxy forwards hidden query parameters, potentially bypassing security controls
CVE-2026-39825 net/http/httputil: golang: net/http/httputil: ReverseProxy forwards hidden query parameters, potentially bypassing security controls
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y"
2026-05-07
Published