2433834 – (CVE-2026-1536) CVE-2026-1536 libsoup: libsoup: HTTP header injection or response splitting via CRLF injection in Content-Disposition header

Bug 2433834 (CVE-2026-1536) - CVE-2026-1536 libsoup: libsoup: HTTP header injection or response splitting via CRLF injection in Content-Disposition header

Summary: CVE-2026-1536 libsoup: libsoup: HTTP header injection or response splitting v...

Keywords:
Status:	NEW
Alias:	CVE-2026-1536
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2433837 2433838 2433839
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-28 14:02 UTC by OSIDB Bzimport
Modified:	2026-01-28 14:33 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-28 14:02:00 UTC

CRLF injection vulnerability in the soup_message_headers_set_content_disposition() function of the libsoup HTTP library. The issue occurs because this function internally uses soup_message_headers_append_common(), which does not enforce character restrictions on header values. As a result, an attacker who can control the input used for the Content-Disposition header can inject CRLF sequences into the header value. When the HTTP request or response is later constructed, these sequences are interpreted verbatim, allowing arbitrary HTTP headers to be injected. This can lead to header injection or HTTP response splitting without authentication or user interaction.

Note You need to log in before you can comment on or make changes to this bug.