CVE-2026-49214
published 2026-06-11CVE-2026-49214: guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in…
PriorityP429medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.19%
8.8th percentile
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. A vulnerable flow is: First, an application accepts a user-controlled URL. Second, the URL is used to construct a PSR-7 `Uri` or `Request`. Third, the host component contains CRLF or another header-unsafe character. Fourth, the host is copied into the PSR-7 `Host` header when no explicit `Host` header is provided. Finally, the request is serialized or sent by an HTTP client that does not independently reject the malformed host. In that flow, an attacker can cause the serialized request to contain additional attacker-controlled header lines. For example, a host containing `"\r\nX-Injected: yes"` can cause the generated `Host` header to span multiple HTTP header lines. Applications are affected when they use user-controlled URLs for outbound HTTP requests, URL forwarding, proxying, crawling, webhook delivery, or similar request-dispatch flows. In deployments involving HTTP/1.1 connection reuse, proxies, gateways, or load balancers, this malformed request may also contribute to request smuggling or cache poisoning, depending on how downstream components parse the request. The issue is patched in `2.10.2` and later. `1.x` is end-of-life and will not receive a patch. As a workaround, validate and reject all untrusted URI strings before constructing PSR-7 `Uri` or `Request` instances. Reject input containing ASCII control characters, whitespace, or DEL, including CRLF, tab, space, NUL, or DEL characters. Applications that forward requests should also ensure the final HTTP client or serializer rejects invalid URI and header data before writing requests to the network.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| guzzle | psr7 | < 2.10.2 | 2.10.2 |
| guzzlehttp | psr7 | >= 0 < 2.10.2 | 2.10.2 |
| guzzlephp | psr-7 | < 2.10.2 | 2.10.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
guzzle psr7 up to 2.10.1 deserialization (GHSA-hq7v-mx3g-29hw / EUVD-2026-36240)
vuldb·2026-06-11·CVSS 5.3
CVE-2026-49214 [MEDIUM] guzzle psr7 up to 2.10.1 deserialization (GHSA-hq7v-mx3g-29hw / EUVD-2026-36240)
A vulnerability labeled as problematic has been found in guzzle psr7 up to 2.10.1. Affected is an unknown function. The manipulation results in deserialization. This vulnerability only affects products that are no longer supported by the maintainer.
This vulnerability is known as CVE-2026-49214. It is possible to launch the attack remotely. No exploit is available.
The affected component should be upgraded.
GHSA
guzzlehttp/psr7 has CRLF Injection via URI Host Component
ghsa·2026-06-11
CVE-2026-49214 [MEDIUM] CWE-113 guzzlehttp/psr7 has CRLF Injection via URI Host Component
guzzlehttp/psr7 has CRLF Injection via URI Host Component
## Impact
`guzzlehttp/psr7` did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. The issue requires a PSR-7 request to be serialized into a raw HTTP/1.x message, for example with `GuzzleHttp\Psr7\Message::toString()` or an equivalent custom serializer. Creating a `Uri`, `Request`, or other PSR-7 object alone is not sufficient. The malformed host must be copied into the serialized `Host` header without further validation.
A vulnerable flow is:
1. An application accepts a user-controlled URL.
2. The URL is used to construct a PSR-7 `Uri` or `Request`.
3. The host component contains CRLF or another header-unsafe character.
4. The request is serialized into a raw HTTP/1.x message without an
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-49214 roundcubemail: `guzzlehttp/psr7`: Request Smuggling and Cache Poisoning via HTTP Header Injection [fedora-all]
bugzilla·2026-06-16·CVSS 5.3
CVE-2026-49214 [MEDIUM] CVE-2026-49214 roundcubemail: `guzzlehttp/psr7`: Request Smuggling and Cache Poisoning via HTTP Header Injection [fedora-all]
CVE-2026-49214 roundcubemail: `guzzlehttp/psr7`: Request Smuggling and Cache Poisoning via HTTP Header Injection [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-49214 roundcubemail: `guzzlehttp/psr7`: Request Smuggling and Cache Poisoning via HTTP Header Injection [epel-all]
bugzilla·2026-06-16·CVSS 5.3
CVE-2026-49214 [MEDIUM] CVE-2026-49214 roundcubemail: `guzzlehttp/psr7`: Request Smuggling and Cache Poisoning via HTTP Header Injection [epel-all]
CVE-2026-49214 roundcubemail: `guzzlehttp/psr7`: Request Smuggling and Cache Poisoning via HTTP Header Injection [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-49214 nextcloud: `guzzlehttp/psr7`: Request Smuggling and Cache Poisoning via HTTP Header Injection [fedora-all]
bugzilla·2026-06-16·CVSS 5.3
CVE-2026-49214 [MEDIUM] CVE-2026-49214 nextcloud: `guzzlehttp/psr7`: Request Smuggling and Cache Poisoning via HTTP Header Injection [fedora-all]
CVE-2026-49214 nextcloud: `guzzlehttp/psr7`: Request Smuggling and Cache Poisoning via HTTP Header Injection [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-49214 nextcloud: `guzzlehttp/psr7`: Request Smuggling and Cache Poisoning via HTTP Header Injection [epel-all]
bugzilla·2026-06-16·CVSS 5.3
CVE-2026-49214 [MEDIUM] CVE-2026-49214 nextcloud: `guzzlehttp/psr7`: Request Smuggling and Cache Poisoning via HTTP Header Injection [epel-all]
CVE-2026-49214 nextcloud: `guzzlehttp/psr7`: Request Smuggling and Cache Poisoning via HTTP Header Injection [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-49214 mediawiki: `guzzlehttp/psr7`: Request Smuggling and Cache Poisoning via HTTP Header Injection [fedora-all]
bugzilla·2026-06-16·CVSS 5.3
CVE-2026-49214 [MEDIUM] CVE-2026-49214 mediawiki: `guzzlehttp/psr7`: Request Smuggling and Cache Poisoning via HTTP Header Injection [fedora-all]
CVE-2026-49214 mediawiki: `guzzlehttp/psr7`: Request Smuggling and Cache Poisoning via HTTP Header Injection [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-49214 guzzlehttp/psr7: `guzzlehttp/psr7`: Request Smuggling and Cache Poisoning via HTTP Header Injection
bugzilla·2026-06-11·CVSS 5.3
CVE-2026-49214 [MEDIUM] CVE-2026-49214 guzzlehttp/psr7: `guzzlehttp/psr7`: Request Smuggling and Cache Poisoning via HTTP Header Injection
CVE-2026-49214 guzzlehttp/psr7: `guzzlehttp/psr7`: Request Smuggling and Cache Poisoning via HTTP Header Injection
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. A vulnerable flow is: First, an application accepts a user-controlled URL. Second, the URL is used to construct a PSR-7 `Uri` or `Request`. Third, the host component contains CRLF or another header-unsafe character. Fourth, the host is copied into the PSR-7 `Host` header when no explicit `Host` header is provided. Finally, the request is serialized or sent by an HTTP client that does not independently reject the malformed host. In that flow, an attacker can cause the serialized request t
2026-06-11
Published