CVE-2026-42855 Overview
CVE-2026-42855 is an authentication bypass vulnerability in the arduino-esp32 WebServer Digest authentication implementation. The flaw affects the Arduino core used for ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6, and ESP32-H2 microcontrollers prior to version 3.3.8. The implementation computes the authentication hash using the URI field supplied in the client's Authorization header without verifying that the value matches the actual requested URI. An attacker holding any valid digest response for one protected resource can reuse it to authenticate against a different protected resource, breaking per-URI access control.
Critical Impact
Attackers with a single valid digest credential can access any other protected URI on the device, bypassing per-resource authorization across all affected ESP32 microcontroller families.
Affected Products
- Espressif arduino-esp32 versions prior to 3.3.8
- ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6, and ESP32-H2 microcontrollers running affected firmware
- Embedded applications using the bundled WebServer Digest authentication module
Discovery Timeline
- 2026-05-12 - CVE-2026-42855 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-42855
Vulnerability Analysis
The vulnerability resides in the HTTP Digest authentication handler in the arduino-esp32WebServer library. RFC 7616 Digest authentication binds an authentication response to a specific request by including the request URI in the computed hash. Servers must verify that the uri parameter inside the Authorization header matches the actual URI of the incoming HTTP request.
The affected implementation skips this verification step. It uses the attacker-controlled uri value from the Authorization header directly when recomputing the expected hash. As a result, the server accepts a digest response that was originally computed for URI-A as valid proof of authentication for URI-B. The flaw is classified under [CWE-287: Improper Authentication].
Root Cause
The root cause is missing equality validation between the URI in the request line and the uri parameter parsed from the Authorization header. Because the server trusts the client-supplied value when computing the digest, the digest will always match for whatever URI the client claims, regardless of what was actually requested.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker captures or otherwise obtains a single valid Digest Authorization header, for example by observing legitimate traffic to a low-sensitivity endpoint such as /status. The attacker then replays the same Digest header against any other protected endpoint, such as /admin or /config, while keeping the uri parameter inside the header set to the original /status value. The server recomputes the hash using /status, matches it successfully, and authorizes access to the more sensitive endpoint.
The vulnerability mechanism is described in prose because no public proof-of-concept has been released. See the GitHub Security Advisory GHSA-28hv-fwm3-rpcq for vendor technical details.
Detection Methods for CVE-2026-42855
Indicators of Compromise
- HTTP requests where the request line URI differs from the uri parameter inside the Authorization: Digest header
- Repeated successful authentications from the same client using identical nonce and response values across different request URIs
- Access to sensitive ESP32 web endpoints from clients that never completed a fresh challenge-response handshake for that URI
Detection Strategies
- Inspect HTTP traffic to ESP32 devices and alert when the Authorization header uri field does not match the HTTP request target
- Log all Digest authentication attempts at network gateways or reverse proxies fronting ESP32 devices and correlate identical digest responses across distinct URIs
- Audit firmware builds and dependency manifests for arduino-esp32 versions earlier than 3.3.8
Monitoring Recommendations
- Forward WebServer access logs from ESP32 deployments into a centralized log platform for cross-device correlation
- Monitor authenticated access to administrative or configuration endpoints on embedded devices and flag access patterns that lack a preceding 401 challenge
- Track inbound traffic to ESP32 management interfaces from networks outside the expected operational scope
How to Mitigate CVE-2026-42855
Immediate Actions Required
- Upgrade arduino-esp32 to version 3.3.8 or later and rebuild all affected firmware images
- Inventory deployed ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6, and ESP32-H2 devices to identify firmware running vulnerable versions
- Restrict network reachability of ESP32 WebServer endpoints to trusted management networks until patched firmware is deployed
Patch Information
Espressif fixed the vulnerability in arduino-esp32 3.3.8. The patch enforces that the uri parameter from the Authorization header matches the URI of the incoming HTTP request before validating the digest hash. Patch details are published in the GitHub Security Advisory GHSA-28hv-fwm3-rpcq.
Workarounds
- Place affected ESP32 devices behind a reverse proxy that performs its own Digest authentication and rejects requests where the header uri does not match the request path
- Disable HTTP Digest authentication and require transport-layer authentication such as TLS client certificates where the platform supports it
- Segment ESP32 management interfaces onto isolated VLANs with strict access control lists until firmware can be updated
# Update arduino-esp32 core to the patched version via Arduino CLI
arduino-cli core update-index
arduino-cli core install esp32:esp32@3.3.8
arduino-cli core list | grep esp32
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

