CVE-2026-1536: libsoup HTTP Header Injection Vulnerability

CVE-2026-1536 Overview

A flaw was found in libsoup that allows HTTP header injection through improper handling of the Content-Disposition header. An attacker who can control the input for the Content-Disposition header can inject CRLF (Carriage Return Line Feed) sequences into the header value. These sequences are then interpreted verbatim when the HTTP request or response is constructed, allowing arbitrary HTTP headers to be injected. This vulnerability can lead to HTTP header injection or HTTP response splitting without requiring authentication or user interaction.

Critical Impact

Unauthenticated attackers can inject arbitrary HTTP headers through CRLF sequences in the Content-Disposition header, potentially enabling cache poisoning, session hijacking, or cross-site scripting attacks via HTTP response splitting.

Affected Products

• libsoup (all versions where Content-Disposition header parsing is vulnerable)

Discovery Timeline

• 2026-01-28 - CVE CVE-2026-1536 published to NVD
• 2026-01-29 - Last updated in NVD database

Technical Details for CVE-2026-1536

Vulnerability Analysis

This vulnerability exists in the libsoup HTTP library's handling of the Content-Disposition header. The core issue is that libsoup fails to properly sanitize CRLF sequences (\r\n) within user-controlled header values before incorporating them into HTTP messages. When an attacker supplies a malicious Content-Disposition value containing CRLF characters, these are passed through verbatim to the constructed HTTP request or response.

The vulnerability is classified under CWE-93 (Improper Neutralization of CRLF Sequences). This weakness allows attackers to manipulate HTTP message structures by injecting additional headers or even complete HTTP responses, fundamentally breaking the trust boundary between headers and body content.

Root Cause

The root cause is insufficient input validation and sanitization of the Content-Disposition header value in libsoup. The library does not strip or encode CRLF sequences (\r\n or %0D%0A) before using the header value in HTTP message construction. This allows the attacker-controlled content to break out of the intended header context and inject arbitrary headers or response content.

Attack Vector

This vulnerability is exploitable over the network without authentication or user interaction. An attacker who can influence the Content-Disposition header value—either directly through API calls or indirectly through application logic that processes attacker-controlled data—can inject CRLF sequences followed by malicious header content.

The attack flow involves crafting a Content-Disposition value such as attachment; filename="malicious\r\nX-Injected: evil" where the CRLF sequence terminates the original header and injects a new X-Injected header. In HTTP response splitting scenarios, attackers can inject complete HTTP responses, potentially serving malicious content to users or poisoning web caches.

For detailed technical information about this vulnerability, refer to the Red Hat CVE-2026-1536 Advisory and Red Hat Bug Report #2433834.

Detection Methods for CVE-2026-1536

Indicators of Compromise

• HTTP traffic containing URL-encoded or raw CRLF sequences (%0D%0A, \r\n) within Content-Disposition header values
• Unexpected or duplicate HTTP headers appearing in web server logs
• Cache entries containing inconsistent or malicious content indicating potential cache poisoning
• Application logs showing malformed Content-Disposition values with embedded newline characters

Detection Strategies

• Implement deep packet inspection rules to detect CRLF sequences within HTTP header values, particularly in Content-Disposition headers
• Monitor web application firewalls (WAF) for injection patterns containing %0D%0A, %0d%0a, \r\n, or their Unicode equivalents
• Review libsoup version inventory across systems to identify potentially vulnerable installations
• Deploy SentinelOne Singularity to detect anomalous HTTP traffic patterns associated with header injection attacks

Monitoring Recommendations

• Enable detailed HTTP header logging on web servers and reverse proxies to capture full header content
• Configure alerting for HTTP responses containing unexpected header duplications or anomalous header ordering
• Monitor for cache poisoning indicators such as users receiving different content for the same URL
• Implement runtime application self-protection (RASP) to detect header injection attempts at the application layer

How to Mitigate CVE-2026-1536

Immediate Actions Required

• Inventory all systems and applications using libsoup and assess exposure to this vulnerability
• Implement input validation at the application layer to reject or sanitize CRLF sequences in user-controlled data that may reach Content-Disposition headers
• Deploy web application firewall rules to block requests containing CRLF injection patterns
• Review application code that constructs Content-Disposition headers to ensure proper encoding of user input

Patch Information

Monitor the Red Hat CVE-2026-1536 Advisory for official patch information and updates. Apply vendor-supplied patches as soon as they become available. For systems using libsoup through Linux distribution packages, check your distribution's security advisories for updated packages.

Workarounds

• Implement strict input validation to strip or reject any CRLF sequences from data used in HTTP headers
• Use allowlist-based validation for Content-Disposition filename values, permitting only alphanumeric characters and safe symbols
• Deploy a reverse proxy or WAF configured to normalize and sanitize HTTP headers before they reach the application
• Consider disabling or restricting functionality that allows user-controlled Content-Disposition values until patches are applied

# Example: WAF rule to block CRLF injection attempts (ModSecurity format)
SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS "@rx (\%0d|\%0a|\\r|\\n)" \
    "id:100001,phase:2,deny,status:403,msg:'CRLF Injection Attempt Blocked'"