CVE-2026-33745 Overview
CVE-2026-33745 is a high-severity information disclosure vulnerability in cpp-httplib, a popular C++11 single-file header-only cross-platform HTTP/HTTPS library. Prior to version 0.39.0, the cpp-httplib HTTP client improperly forwards stored Basic Auth, Bearer Token, and Digest Auth credentials to arbitrary hosts when following cross-origin HTTP redirects (301/302/307/308). A malicious or compromised server can redirect the client to an attacker-controlled host, which then receives the plaintext credentials in the Authorization header.
Critical Impact
Attackers can steal authentication credentials by redirecting HTTP clients to malicious endpoints, potentially leading to full account compromise and unauthorized access to protected resources.
Affected Products
- yhirose cpp-httplib versions prior to 0.39.0
Discovery Timeline
- 2026-03-27 - CVE CVE-2026-33745 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-33745
Vulnerability Analysis
This vulnerability falls under information disclosure (CWE-200), specifically credential leakage through improper handling of HTTP redirects. The cpp-httplib library's HTTP client implementation fails to properly scope authentication credentials when processing redirect responses.
When a client application configures cpp-httplib with authentication credentials (Basic Auth, Bearer Tokens, or Digest Auth) and makes a request to a server, the library stores these credentials and automatically includes them in subsequent requests. The critical flaw lies in the redirect handling logic—when the client receives a 301, 302, 307, or 308 redirect response, it follows the redirect to the new location while preserving the Authorization header, regardless of whether the redirect target is a different origin (cross-origin redirect).
This means an attacker who controls or compromises an initial target server can redirect the client to their own malicious server, which will receive the plaintext credentials intended for the legitimate service. The attack requires network access to either compromise a legitimate server the victim connects to or position themselves where they can serve a redirect response.
Root Cause
The root cause is insufficient validation of redirect destinations in the cpp-httplib HTTP client. The library does not implement origin checking when following HTTP redirects, allowing credentials to be forwarded across domain boundaries. Secure redirect handling requires stripping sensitive headers like Authorization when the redirect target differs from the original request's origin.
Attack Vector
The attack exploits the network-accessible HTTP client redirect mechanism. An attacker must first position themselves to serve redirect responses to a cpp-httplib client, either by:
- Compromising a legitimate server the victim's application connects to
- Performing a man-in-the-middle attack (if HTTPS is not properly enforced)
- Convincing the application to connect to an attacker-controlled endpoint initially
Once the attacker can serve a redirect response, they craft a 301, 302, 307, or 308 redirect pointing to their credential-harvesting server. When the cpp-httplib client follows this redirect, it sends the stored authentication credentials in the Authorization header to the attacker's server in plaintext.
The vulnerability mechanism involves the HTTP client following redirect responses without sanitizing authentication headers. When a redirect crosses origin boundaries, the Authorization header containing credentials is preserved and forwarded to the new destination. See the GitHub Security Advisory for additional technical details.
Detection Methods for CVE-2026-33745
Indicators of Compromise
- Unexpected outbound HTTP/HTTPS connections to unknown external hosts from applications using cpp-httplib
- Network traffic containing Authorization headers being sent to domains not explicitly configured by the application
- Log entries showing HTTP redirect chains that traverse from legitimate domains to suspicious external endpoints
- Authentication failures or credential reuse attacks following cpp-httplib network activity
Detection Strategies
- Implement network monitoring rules to detect Authorization headers in outbound traffic to unexpected destinations
- Review application logs for redirect responses (301/302/307/308) that point to external or untrusted domains
- Deploy SentinelOne Singularity to monitor for anomalous network behavior patterns in applications utilizing cpp-httplib
- Audit software dependencies to identify applications using cpp-httplib versions prior to 0.39.0
Monitoring Recommendations
- Enable detailed HTTP logging in applications using cpp-httplib to capture redirect behavior
- Configure network security appliances to alert on Authorization headers crossing security zone boundaries
- Implement egress filtering to restrict outbound connections from sensitive applications
- Use SentinelOne's behavioral detection capabilities to identify credential exfiltration patterns
How to Mitigate CVE-2026-33745
Immediate Actions Required
- Upgrade cpp-httplib to version 0.39.0 or later immediately
- Audit all applications in your environment that may use cpp-httplib as a dependency
- Review network logs for any evidence of credential leakage prior to patching
- Rotate any credentials that may have been used with vulnerable cpp-httplib versions
Patch Information
The vulnerability is fixed in cpp-httplib version 0.39.0. This update implements proper origin checking during redirect handling, ensuring that authentication credentials are stripped from requests when following cross-origin redirects. Organizations should update to the latest version by pulling the new header file from the official repository.
For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Disable automatic redirect following in cpp-httplib and implement manual redirect handling with origin validation
- Implement application-level controls to validate redirect destinations before credentials are sent
- Deploy network-level controls to prevent sensitive applications from connecting to untrusted hosts
- Use a web proxy or gateway that strips Authorization headers on cross-origin redirects
# Verify cpp-httplib version in your project
grep -r "CPPHTTPLIB_VERSION" /path/to/project
# Update to version 0.39.0 or later from the official repository
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
