2490130 – (CVE-2026-55202) CVE-2026-55202 tinyproxy: Tinyproxy: Unauthorized access and request misrouting due to improper Host header validation

Bug 2490130 (CVE-2026-55202) - CVE-2026-55202 tinyproxy: Tinyproxy: Unauthorized access and request misrouting due to improper Host header validation

Summary: CVE-2026-55202 tinyproxy: Tinyproxy: Unauthorized access and request misrouti...

Keywords:
Status:	NEW
Alias:	CVE-2026-55202
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2491335 2491336
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-17 20:02 UTC by OSIDB Bzimport
Modified:	2026-06-22 13:10 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-17 20:02:06 UTC

Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger unauthorized access to internal proxy statistics or misroute requests as transparent proxy connections to circumvent access controls.

Note You need to log in before you can comment on or make changes to this bug.