Bug 2491776 (CVE-2026-55767)

Summary: CVE-2026-55767 guzzlehttp/guzzle: Guzzle: Cookie injection and session fixation due to improper domain validation
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Guzzle, an extensible PHP HTTP client. The CookieJar component incorrectly accepted cookies with dot-only or whitespace-padded domain attributes. This vulnerability allows an attacker-controlled origin, when an application requests it with a shared cookie jar, to set a cookie that Guzzle may later send to unrelated hosts using the same jar. This could lead to cookie injection or session fixation against downstream services, potentially compromising user sessions or injecting malicious data.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2491786, 2491787, 2491790, 2491792    
Bug Blocks:    

Description OSIDB Bzimport 2026-06-23 16:01:57 UTC
Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, CookieJar incorrectly accepts cookies with a dot-only Domain attribute and whitespace-padded variants. SetCookie::matchesDomain() removes leading dots from the cookie domain, normalizing dot-only values to the empty string; SetCookie::validate() only rejected a strictly empty domain, so these cookies could be stored and the empty normalized domain was treated as matching any request host. An attacker-controlled origin that an application requests with a shared cookie jar can therefore set a cookie that Guzzle later sends to unrelated hosts using the same jar. This may allow cookie injection or session fixation against downstream services, depending on how those services interpret the injected cookie. This vulnerability is fixed in 7.12.1.