DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-39807: CVE-2026-39807: Transport-State Spoofing via Untrusted URI Scheme in Bandit HTTP Server

#security #cve #cybersecurity

CVE-2026-39807: Transport-State Spoofing via Untrusted URI Scheme in Bandit HTTP Server

Vulnerability ID: CVE-2026-39807
CVSS Score: 6.3
Published: 2026-05-07

The Bandit HTTP server prior to version 1.11.0 contains a transport-state spoofing vulnerability. The application incorrectly prioritizes the client-supplied URI scheme over the verified transport-layer encryption status. This allows unauthenticated attackers to spoof the connection state as secure (HTTPS) over a plaintext connection, bypassing security middleware and exposing secure cookies.

TL;DR

A logic flaw in the Bandit HTTP server allows attackers to forge the connection scheme. Sending an absolute-form HTTP request over a plaintext connection causes the server to treat the request as HTTPS, bypassing SSL redirects and leaking secure cookies.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-807
  • Attack Vector: Network
  • CVSS Score: 6.3
  • EPSS Score: 0.00018
  • Impact: Security feature bypass and confidentiality loss
  • Exploit Status: Proof of Concept
  • KEV Status: Not Listed

Affected Systems

  • Bandit HTTP Server for Elixir
  • Elixir applications utilizing Plug.Conn via Bandit
  • Deployments exposing plaintext (non-TLS) HTTP ports
  • bandit: >= 1.0.0, < 1.11.0 (Fixed in: 1.11.0)

Code Analysis

Commit: 45feea2

Fix transport-state spoofing vulnerability by evaluating only adapter security state

Exploit Details

  • Commit Test Suite: Unit tests implementing the spoofing payload to verify the patch effectiveness.

Mitigation Strategies

  • Upgrade the bandit package to a patched version
  • Disable plaintext network listeners and enforce TLS termination at the application
  • Deploy a reverse proxy to sanitize absolute-form HTTP request targets

Remediation Steps:

  1. Update the project's mix.exs file to require bandit version 1.11.0 or later.
  2. Execute mix deps.get and mix compile to pull and build the updated dependency.
  3. Audit production deployments to verify whether plaintext ports are unintentionally exposed.
  4. Test downstream application behavior to ensure secure cookies and Plug.SSL correctly evaluate the patched state.

References

Read the full report for CVE-2026-39807 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)