CVE-2026-33745 HIGH

CVE-2026-33745: cpp-httplib Client Leaks Authentication Credentials to Untrusted Hosts on Cross-Origin HTTP Redirect

Vendor Yhirose
Product cpp-httplib
Weakness CWE-200 · Info exposure
Published March 27, 2026
Last update April 1, 2026
View on NVD All CVEs

CVSS base score

7.4/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.39.0, the cpp-httplib HTTP client forwards stored Basic Auth, Bearer Token, and Digest Auth credentials to arbitrary hosts when following cross-origin HTTP redirects (301/302/307/308). A malicious or compromised server can redirect the client to an attacker-controlled host, which then receives the plaintext credentials in the `Authorization` header. Version 0.39.0 fixes the issue.

Key dates

02Disclosure timeline

March 27, 2026 CVE published
April 1, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2021-41277 GeoJSON URL validation can expose server files and environment variables to unauthorized users CVE-2022-31091 Change in port should be considered a change in origin in Guzzle CVE-2024-35171 WordPress Academy LMS plugin <= 1.9.25 - Sensitive Data Exposure vulnerability CVE-2021-39327 BulletProof Security <= 5.1 Sensitive Information Disclosure CVE-2025-32700 AbuseFilter log interfaces expose global private and hidden filters when central DB is not available