The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-32627

CVE-2026-32627: Cpp-httplib Information Disclosure Flaw

CVE-2026-32627 is an information disclosure vulnerability in Yhirose Cpp-httplib that disables TLS verification on redirects, allowing attackers to intercept HTTPS connections. This article covers technical details, affected versions, impact, and mitigation strategies.

Published: March 20, 2026

CVE-2026-32627 Overview

CVE-2026-32627 is a Certificate Validation Bypass vulnerability in cpp-httplib, a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.37.2, when a cpp-httplib client is configured with a proxy and set_follow_location(true), any HTTPS redirect it follows will have TLS certificate and hostname verification silently disabled on the new connection. The client will accept any certificate presented by the redirect target — expired, self-signed, or forged — without raising an error or notifying the application.

Critical Impact

A network attacker in a position to return a redirect response can fully intercept the follow-up HTTPS connection, including any credentials or session tokens in flight. This enables man-in-the-middle attacks against applications using the vulnerable library.

Affected Products

  • yhirose cpp-httplib versions prior to 0.37.2

Discovery Timeline

  • March 16, 2026 - CVE-2026-32627 published to NVD
  • March 17, 2026 - Last updated in NVD database

Technical Details for CVE-2026-32627

Vulnerability Analysis

This vulnerability (CWE-295: Improper Certificate Validation) arises from a flaw in how cpp-httplib handles HTTPS redirects when operating through a proxy server. The library's redirect-following logic fails to properly initialize TLS verification settings for subsequent connections after a redirect response is received. When a client configured with both a proxy and automatic redirect following receives a 3xx redirect response, the new HTTPS connection established to the redirect target does not inherit or reinitialize the TLS certificate validation settings.

The security implications are severe because the vulnerability operates silently — no errors or warnings are raised to alert the application or user that certificate validation has been bypassed. This creates a false sense of security where developers believe their HTTPS connections are properly secured when they are actually vulnerable to interception.

Root Cause

The root cause lies in the improper initialization of SSL/TLS verification parameters when establishing a new connection following an HTTP redirect. When the library creates a new connection to follow a redirect, the SSL context for the new connection is not properly configured to verify the server's certificate against trusted certificate authorities or to validate the hostname matches the certificate's subject alternative names. This initialization oversight specifically manifests in proxy configurations where the redirect handling code path diverges from the standard direct connection flow.

Attack Vector

The attack vector requires an attacker to be in a network position where they can intercept or manipulate HTTP/HTTPS traffic — such as on the same network segment, controlling a malicious proxy, or through DNS poisoning. The attacker can then return a crafted redirect response pointing to an attacker-controlled server presenting a fraudulent TLS certificate. Since certificate validation is silently disabled on the redirect connection, the client will establish an encrypted tunnel with the attacker's server, transmitting any credentials, session tokens, API keys, or sensitive data intended for the legitimate destination.

The attack is particularly insidious because the connection appears encrypted and secure from the application's perspective — all HTTPS indicators remain intact while the actual security has been completely compromised.

Detection Methods for CVE-2026-32627

Indicators of Compromise

  • Unexpected TLS certificate warnings or errors in network monitoring tools when traffic flows through proxies
  • Network traffic showing HTTPS connections to unexpected IP addresses after redirect responses
  • Application logs indicating redirect chains through suspicious or unexpected domains
  • Certificate chain validation failures in enterprise SSL inspection tools

Detection Strategies

  • Audit application dependencies for cpp-httplib versions prior to 0.37.2
  • Monitor network traffic for proxy-based connections that follow redirects to untrusted hosts
  • Deploy network security tools capable of detecting certificate validation anomalies
  • Review application code for usage patterns combining proxy configuration with set_follow_location(true)

Monitoring Recommendations

  • Implement centralized logging of all TLS certificate validation events in applications using cpp-httplib
  • Configure network intrusion detection systems to alert on suspicious redirect patterns
  • Enable verbose logging in applications to capture redirect chains and certificate information
  • Monitor for anomalous traffic patterns indicative of man-in-the-middle attacks

How to Mitigate CVE-2026-32627

Immediate Actions Required

  • Upgrade cpp-httplib to version 0.37.2 or later immediately
  • Audit all applications using cpp-httplib with proxy configurations and set_follow_location(true) enabled
  • Consider temporarily disabling automatic redirect following until the patch is applied
  • Review application configurations to identify exposure to this vulnerability

Patch Information

The vulnerability is fixed in cpp-httplib version 0.37.2. The fix ensures that TLS certificate and hostname verification settings are properly maintained and applied when following HTTPS redirects through a proxy. For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-c3h8-fqq4-xm4g.

Workarounds

  • Disable automatic redirect following by removing or setting set_follow_location(false) and manually handling redirects with proper certificate validation
  • Implement custom redirect handling logic that explicitly validates certificates for each new connection
  • Use a different HTTP client library with proper certificate validation until upgrading is possible
  • Configure network-level certificate pinning or SSL inspection to detect invalid certificates
bash
# Update cpp-httplib to patched version
# If using vcpkg:
vcpkg upgrade cpp-httplib

# If using git submodule, update to v0.37.2 or later:
cd deps/cpp-httplib
git fetch --tags
git checkout v0.37.2

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeInformation Disclosure
  • Vendor/TechCpp Httplib
  • SeverityHIGH
  • CVSS Score8.1
  • EPSS Probability0.02%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityHigh
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-295
  • Vendor Resources
  • GitHub Security Advisory
  • Latest CVEs
  • CVE-2025-9185: Mozilla Firefox RCE Vulnerability
  • CVE-2025-9184: Mozilla Firefox RCE Vulnerability
  • CVE-2025-9180: Mozilla Firefox Auth Bypass Vulnerability
  • CVE-2025-8030: Mozilla Firefox RCE Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English