CVE-2026-9678
published 2026-06-17CVE-2026-9678: Impact: Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified…
PriorityP335medium5.9CVSS 3.1
AVNACHPRNUINSUCHINAN
EPSS
0.37%
29.3th percentile
Impact:
Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding whitespace, so later comparisons against the literal authorization field name fail and the response is stored.
In shared-cache mode, this allows a response containing one user's authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key.
Affected applications are those that explicitly enable the cache interceptor (interceptors.cache()) in shared mode, forward Authorization headers upstream, and receive cacheable responses with non-canonical qualified private or no-cache directives.
Patches:
Upgrade to undici v7.28.0 or v8.5.0.
Workarounds:
If upgrade is not immediately possible, disable shared-cache mode for traffic that includes Authorization headers, avoid caching responses to authenticated requests, or add Vary: Authorization upstream.
Affected
36 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform | automation-portal | — | — |
| ansible-automation-platform | bootc-automation-portal-rhel9 | — | — |
| devspaces | code-rhel9 | — | — |
| devspaces | dashboard-rhel9 | — | — |
| devspaces | openvsx-rhel9 | — | — |
| devspaces | pluginregistry-rhel9 | — | — |
| nodejs | nodejs | — | — |
| nodejs | undici | >= 7.0.0 < 7.28.0 | 7.28.0 |
| nodejs | undici | >= 8.0.0 < 8.5.0 | 8.5.0 |
| nodejs_22 | nodejs | — | — |
| nodejs_24 | nodejs | — | — |
| odf4 | ocs-client-console-rhel9 | — | — |
| odf4 | odf-console-rhel9 | — | — |
| odf4 | odf-multicluster-console-rhel9 | — | — |
| openshift-pipelines | pipelines-console-plugin-pf5-rhel9 | — | — |
| openshift-pipelines | pipelines-console-plugin-rhel8 | — | — |
| openshift-pipelines | pipelines-console-plugin-rhel9 | — | — |
| openshift4 | ose-agent-installer-ui-rhel9 | — | — |
| openshift4 | ose-console-rhel9 | — | — |
| openshift4 | ose-monitoring-plugin-rhel9 | — | — |
| rhdh | rhdh-hub-rhel9 | — | — |
| rhoai | odh-dashboard-rhel9 | — | — |
| rhoai | odh-mod-arch-automl-rhel9 | — | — |
| rhoai | odh-mod-arch-autorag-rhel9 | — | — |
| rhoai | odh-mod-arch-eval-hub-rhel9 | — | — |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
cvelistv5v3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
undici vulnerable to cross-user information disclosure via shared cache whitespace bypass
ghsa·2026-06-18
CVE-2026-9678 [MEDIUM] CWE-524 undici vulnerable to cross-user information disclosure via shared cache whitespace bypass
undici vulnerable to cross-user information disclosure via shared cache whitespace bypass
## Impact
Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream `Cache-Control` header uses whitespace-padded qualified `private` or `no-cache` field names such as `private=" authorization"` or `no-cache="\tauthorization"`. The parser preserves the surrounding whitespace, so later comparisons against the literal `authorization` field name fail and the response is stored.
In shared-cache mode, this allows a response containing one user's authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key.
Affected applications are those that explicitly enable the cache inte
VulDB
undici up to 7.27.x/8.4.x Shared-Cache Mode interceptors.cache cache containing sensitive information (GHSA-pr7r-676h-xcf6)
vuldb·2026-06-17
CVE-2026-9678 [LOW] undici up to 7.27.x/8.4.x Shared-Cache Mode interceptors.cache cache containing sensitive information (GHSA-pr7r-676h-xcf6)
A vulnerability has been found in undici up to 7.27.x/8.4.x and classified as problematic. The affected element is the function interceptors.cache of the component Shared-Cache Mode. Performing a manipulation results in use of cache containing sensitive information.
This vulnerability is identified as CVE-2026-9678. The attack can be initiated remotely. There is not any exploit available.
The affected component should be upgraded.
CVEList
undici vulnerable to cross-user information disclosure via shared cache whitespace bypass
cvelistv5·2026-06-17·CVSS 5.9
CVE-2026-9678 [MEDIUM] CWE-524 undici vulnerable to cross-user information disclosure via shared cache whitespace bypass
undici vulnerable to cross-user information disclosure via shared cache whitespace bypass
Impact:
Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding whitespace, so later comparisons against the literal authorization field name fail and the response is stored.
In shared-cache mode, this allows a response containing one user's authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key.
Affected applications are those that explicitly enable the cache interceptor (interc
Red Hat
undici: Undici: Information disclosure due to improper cache-control header parsing
vendor_redhat·2026-06-17·CVSS 5.9
CVE-2026-9678 [MEDIUM] CWE-1286 undici: Undici: Information disclosure due to improper cache-control header parsing
undici: Undici: Information disclosure due to improper cache-control header parsing
Impact:
Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding whitespace, so later comparisons against the literal authorization field name fail and the response is stored.
In shared-cache mode, this allows a response containing one user's authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key.
Affected applications are those that explicitly enable the cache interceptor (interceptors.c
Citrix
Citrix Security Bulletin CTX219580
vendor_citrix·CVSS 9.8
CVE-2016-9676 [CRITICAL] Citrix Security Bulletin CTX219580
Citrix Security Bulletin CTX219580
CVE References: CVE-2016-9676, CVE-2016-9677, CVE-2016-9678, CVE-2016-9679, CVE-2016-9680, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-9678 nodejs24: Undici: Information disclosure due to improper cache-control header parsing [fedora-all]
bugzilla·2026-06-17
CVE-2026-9678 [MEDIUM] CVE-2026-9678 nodejs24: Undici: Information disclosure due to improper cache-control header parsing [fedora-all]
CVE-2026-9678 nodejs24: Undici: Information disclosure due to improper cache-control header parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-9678 fbthrift: Undici: Information disclosure due to improper cache-control header parsing [fedora-all]
bugzilla·2026-06-17
CVE-2026-9678 [MEDIUM] CVE-2026-9678 fbthrift: Undici: Information disclosure due to improper cache-control header parsing [fedora-all]
CVE-2026-9678 fbthrift: Undici: Information disclosure due to improper cache-control header parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-9678 nodejs22: Undici: Information disclosure due to improper cache-control header parsing [fedora-all]
bugzilla·2026-06-17
CVE-2026-9678 [MEDIUM] CVE-2026-9678 nodejs22: Undici: Information disclosure due to improper cache-control header parsing [fedora-all]
CVE-2026-9678 nodejs22: Undici: Information disclosure due to improper cache-control header parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-9678 nodejs20: Undici: Information disclosure due to improper cache-control header parsing [fedora-all]
bugzilla·2026-06-17
CVE-2026-9678 [MEDIUM] CVE-2026-9678 nodejs20: Undici: Information disclosure due to improper cache-control header parsing [fedora-all]
CVE-2026-9678 nodejs20: Undici: Information disclosure due to improper cache-control header parsing [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-9678 undici: Undici: Information disclosure due to improper cache-control header parsing
bugzilla·2026-06-17
CVE-2026-9678 [MEDIUM] CVE-2026-9678 undici: Undici: Information disclosure due to improper cache-control header parsing
CVE-2026-9678 undici: Undici: Information disclosure due to improper cache-control header parsing
Impact:
Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding whitespace, so later comparisons against the literal authorization field name fail and the response is stored.
In shared-cache mode, this allows a response containing one user's authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key.
Affected applications are those that explicitly enable the cache interceptor
2026-06-17
Published