CVE-2026-42551 HIGH

CVE-2026-42551: Flight: HTTP method override enabled by default enables CSRF escalation and middleware bypass in flightphp/core

Vendor Flightphp

Product core

Weakness CWE-436

Published May 13, 2026

Last update May 14, 2026

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

Description

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP verb (including safe verbs such as GET), with no opt-in and no whitelist of permitted target methods. A GET request can silently become a DELETE or PUT, enabling CSRF escalation against destructive endpoints, bypass of middleware gated on unsafe verbs, and cache poisoning between CDN and origin. This vulnerability is fixed in 3.18.1.

Key dates

Disclosure timeline

May 13, 2026 CVE published

May 14, 2026 Record updated