Bug 2498161 (CVE-2026-59882)

Summary: CVE-2026-59882 guzzlehttp/psr7: guzzlehttp/psr7: URI host validation flaw can lead to security bypass or misrouting
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in guzzlehttp/psr7, a PHP library for HTTP messages. The Uri::assertValidHost() function fails to properly validate URI host components, allowing for the inclusion of authority delimiters, embedded ports, or malformed IPv6 brackets. This improper validation can lead to discrepancies between the URI host and the authority used for security or routing decisions, potentially enabling security bypasses or misrouting of requests.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2499191, 2499192, 2499193, 2499194    
Bug Blocks:    

Description OSIDB Bzimport 2026-07-08 17:02:50 UTC
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.3, Uri::assertValidHost() does not reject URI host components containing authority delimiters, embedded ports, or malformed IPv6 brackets, allowing Uri::getHost() to disagree with the URI authority used for security or routing decisions. This issue is fixed in version 2.12.3.