Bug 2499082 (CVE-2026-59180) - CVE-2026-59180 apprise: Apprise: Information disclosure via HTTP redirect following with credential resending
Summary: CVE-2026-59180 apprise: Apprise: Information disclosure via HTTP redirect fol...
Keywords:
Status: NEW
Alias: CVE-2026-59180
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2499147
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-10 17:02 UTC by OSIDB Bzimport
Modified: 2026-07-10 19:52 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-10 17:02:20 UTC
Apprise is an open source library which allows you to send a notification to almost all of the most popular notification services available. Prior to 1.11.0, Apprise HTTP-based notification plugins and HTTP attachment and config loaders in apprise/attachment/http.py and apprise/config/http.py follow HTTP redirects by default and resend user-configured auth headers and query parameters on the redirected request, allowing a compromised trusted destination or on-path attacker to receive secrets such as Authorization headers, bearer tokens, custom headers, and service keys. This issue is fixed in version 1.11.0.


Note You need to log in before you can comment on or make changes to this bug.