CVE-2026-48998
published 2026-06-11CVE-2026-48998: guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 contain improper Host header validation when parsing raw HTTP…
PriorityP431medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.20%
9.7th percentile
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 contain improper Host header validation when parsing raw HTTP request messages and when deriving a server request URI from server variables. An attacker can provide a malformed Host header containing URI authority delimiters, such as `[email protected]`. When the Host value is used to construct a URI, the malformed value can be reinterpreted as URI userinfo and host. This can cause the PSR-7 request URI host to differ from the original Host header value. Applications are affected if they parse attacker-controlled raw HTTP requests with `GuzzleHttp\Psr7\Message::parseRequest()` or the legacy 1.x `GuzzleHttp\Psr7\parse_request()` function, or if they build server requests from attacker-controlled server variables, then rely on the resulting URI host for routing, allow-list checks, or forwarding decisions. In affected forwarding or gateway scenarios, this may cause requests or credentials to be sent to an unintended host. The issue is patched in `2.10.2`. `1.x` is end-of-life and will not receive a patch. Some workarounds are available. Validate the `Host` header as `uri-host [ ":" port ]` before calling `Message::parseRequest()` or legacy `parse_request()` on untrusted HTTP request data, or before deriving routing and forwarding decisions from a parsed request URI. Reject Host values containing userinfo, path, query, or fragment delimiters.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| guzzle | psr7 | < 2.10.2 | 2.10.2 |
| guzzlehttp | psr7 | >= 0 < 2.10.2 | 2.10.2 |
| guzzlephp | psr-7 | < 2.10.2 | 2.10.2 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
guzzle psr7 up to 2.10.1 Message::parseRequest missing initialization (GHSA-34xg-wgjx-8xph / EUVD-2026-36239)
vuldb·2026-06-11·CVSS 5.3
CVE-2026-48998 [MEDIUM] guzzle psr7 up to 2.10.1 Message::parseRequest missing initialization (GHSA-34xg-wgjx-8xph / EUVD-2026-36239)
A vulnerability identified as problematic has been detected in guzzle psr7 up to 2.10.1. This impacts the function Message::parseRequest. The manipulation leads to missing initialization of a variable. This vulnerability only affects products that are no longer supported by the maintainer.
This vulnerability is traded as CVE-2026-48998. It is possible to initiate the attack remotely. There is no exploit available.
You should upgrade the affected component.
GHSA
guzzlehttp/psr7 has Host Confusion via Authority Reinterpretation
ghsa·2026-06-11
CVE-2026-48998 [MEDIUM] CWE-20 guzzlehttp/psr7 has Host Confusion via Authority Reinterpretation
guzzlehttp/psr7 has Host Confusion via Authority Reinterpretation
## Impact
`guzzlehttp/psr7` improperly interpreted malformed `Host` header values when constructing request URIs from inbound request data. This issue concerns inbound request parsing and server request construction. It does not require serializing a PSR-7 request, and it is not part of the normal outbound request-sending path used by `guzzlehttp/guzzle`.
A vulnerable flow is:
1. An attacker controls a raw HTTP request or server variable containing a `Host` value.
2. The `Host` value contains URI authority delimiters, such as `[email protected]`.
3. `guzzlehttp/psr7` uses that value to construct a URI.
4. The URI parser treats the portion before `@` as userinfo and the portion after `@` as the URI host.
5. The
Red Hat
guzzlehttp/psr7: guzzlehttp/psr7: Information disclosure via improper Host header validation
vendor_redhat·2026-06-11·CVSS 5.3
CVE-2026-48998 [MEDIUM] CWE-1286 guzzlehttp/psr7: guzzlehttp/psr7: Information disclosure via improper Host header validation
guzzlehttp/psr7: guzzlehttp/psr7: Information disclosure via improper Host header validation
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 contain improper Host header validation when parsing raw HTTP request messages and when deriving a server request URI from server variables. An attacker can provide a malformed Host header containing URI authority delimiters, such as `[email protected]`. When the Host value is used to construct a URI, the malformed value can be reinterpreted as URI userinfo and host. This can cause the PSR-7 request URI host to differ from the original Host header value. Applications are affected if they parse attacker-controlled raw HTTP requests with `GuzzleHttp\Psr7\Message::parseRequest()` or the legacy 1
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-48998 roundcubemail: guzzlehttp/psr7: Information disclosure via improper Host header validation [epel-all]
bugzilla·2026-06-12·CVSS 5.3
CVE-2026-48998 [MEDIUM] CVE-2026-48998 roundcubemail: guzzlehttp/psr7: Information disclosure via improper Host header validation [epel-all]
CVE-2026-48998 roundcubemail: guzzlehttp/psr7: Information disclosure via improper Host header validation [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48998 roundcubemail: guzzlehttp/psr7: Information disclosure via improper Host header validation [fedora-all]
bugzilla·2026-06-12·CVSS 5.3
CVE-2026-48998 [MEDIUM] CVE-2026-48998 roundcubemail: guzzlehttp/psr7: Information disclosure via improper Host header validation [fedora-all]
CVE-2026-48998 roundcubemail: guzzlehttp/psr7: Information disclosure via improper Host header validation [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48998 nextcloud: guzzlehttp/psr7: Information disclosure via improper Host header validation [fedora-all]
bugzilla·2026-06-12·CVSS 5.3
CVE-2026-48998 [MEDIUM] CVE-2026-48998 nextcloud: guzzlehttp/psr7: Information disclosure via improper Host header validation [fedora-all]
CVE-2026-48998 nextcloud: guzzlehttp/psr7: Information disclosure via improper Host header validation [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48998 nextcloud: guzzlehttp/psr7: Information disclosure via improper Host header validation [epel-all]
bugzilla·2026-06-12·CVSS 5.3
CVE-2026-48998 [MEDIUM] CVE-2026-48998 nextcloud: guzzlehttp/psr7: Information disclosure via improper Host header validation [epel-all]
CVE-2026-48998 nextcloud: guzzlehttp/psr7: Information disclosure via improper Host header validation [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-48998 guzzlehttp/psr7: guzzlehttp/psr7: Information disclosure via improper Host header validation
bugzilla·2026-06-11·CVSS 5.3
CVE-2026-48998 [MEDIUM] CVE-2026-48998 guzzlehttp/psr7: guzzlehttp/psr7: Information disclosure via improper Host header validation
CVE-2026-48998 guzzlehttp/psr7: guzzlehttp/psr7: Information disclosure via improper Host header validation
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 contain improper Host header validation when parsing raw HTTP request messages and when deriving a server request URI from server variables. An attacker can provide a malformed Host header containing URI authority delimiters, such as `[email protected]`. When the Host value is used to construct a URI, the malformed value can be reinterpreted as URI userinfo and host. This can cause the PSR-7 request URI host to differ from the original Host header value. Applications are affected if they parse attacker-controlled raw HTTP requests with `GuzzleHttp\Psr7\Message::parseRequest()`
2026-06-11
Published