Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-55202

CVE-2026-55202: Tinyproxy Auth Bypass Vulnerability

CVE-2026-55202 is an authentication bypass vulnerability in Tinyproxy through 1.11.3 that allows attackers to access internal proxy statistics via Host header manipulation. This article covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2026-55202 Overview

CVE-2026-55202 is an authentication bypass vulnerability in Tinyproxy through version 1.11.3, a lightweight HTTP/HTTPS proxy daemon. The flaw stems from improper validation of the Host header during stathost detection. Unauthenticated remote attackers can access the internal statistics page by injecting a matching Host header or by manipulating the port to bypass detection logic. Attackers can also misroute requests as transparent proxy connections to circumvent access controls. The issue is tracked under [CWE-290: Authentication Bypass by Spoofing] and was addressed in upstream commit 09312a1.

Critical Impact

Remote unauthenticated attackers can read internal proxy statistics and bypass proxy access controls by spoofing the Host header.

Affected Products

  • Tinyproxy versions up to and including 1.11.3
  • Deployments using stathost configuration for internal statistics
  • Transparent proxy deployments relying on Host header trust

Discovery Timeline

  • 2026-06-17 - CVE-2026-55202 published to NVD
  • 2026-06-17 - Last updated in NVD database
  • Fix commit - Tinyproxy maintainers merged remediation in commit 09312a1 via Pull Request #606

Technical Details for CVE-2026-55202

Vulnerability Analysis

Tinyproxy exposes a stathost endpoint that returns internal proxy statistics. Access to this endpoint is gated by comparing the incoming Host header against a configured stathost value. The comparison logic does not normalize or strictly validate the header. An attacker who sets the Host header to match the configured stathost string passes the check, regardless of the true destination. This grants unauthenticated read access to operational telemetry that should remain internal.

The same weakness affects transparent proxy routing. By manipulating the port component or supplying a crafted Host value, attackers can cause Tinyproxy to treat outbound requests as transparent connections. This routing decision bypasses access control rules that rely on the original request target.

Root Cause

The root cause is trust placed in client-supplied header data without canonicalization. The stathost detection routine compared the raw Host header against the configured value without accounting for port variations or transparent-proxy request shapes. The upstream fix in commit 09312a1 tightens header parsing and decouples stathost identification from attacker-influenced fields.

Attack Vector

Exploitation requires only network reachability to the Tinyproxy listener. The attacker issues an HTTP request with a Host header value that matches the configured stathost, or with a port suffix that confuses the matching logic. No authentication, user interaction, or prior foothold is required. Refer to the VulnCheck Advisory and upstream Pull Request #606 for protocol-level detail.

Detection Methods for CVE-2026-55202

Indicators of Compromise

  • Unexpected HTTP requests to Tinyproxy where the Host header matches the configured stathost value but the source IP is external or unauthorized.
  • Access log entries showing requests to the stats page from clients outside the trusted management range.
  • Requests containing unusual port suffixes in the Host header that do not correspond to the actual proxy listener.

Detection Strategies

  • Parse Tinyproxy access logs and alert on any successful response to the stathost endpoint originating from non-administrative networks.
  • Inspect inbound proxy traffic for Host header values that equal the stathost identifier from clients that should not have that knowledge.
  • Correlate transparent proxy routing decisions with request Host headers to identify anomalies that suggest header manipulation.

Monitoring Recommendations

  • Forward Tinyproxy logs to a centralized logging or SIEM platform and create rules for stathost endpoint hits.
  • Baseline normal Host header values seen by the proxy and alert on deviations or unusual port formats.
  • Monitor for spikes in 200-status responses on the stats URI from previously unseen source IPs.

How to Mitigate CVE-2026-55202

Immediate Actions Required

  • Upgrade Tinyproxy to a build that includes commit 09312a1 or a release later than 1.11.3.
  • Restrict network exposure of the Tinyproxy listener to trusted client ranges using host firewalls or network ACLs.
  • Audit existing access logs for prior unauthorized stathost access.

Patch Information

The upstream fix is provided in Tinyproxy commit 09312a1, merged via Pull Request #606. Rebuild Tinyproxy from a source tree that includes this commit, or update via a distribution package that incorporates the fix. Verify the running binary version after deployment.

Workarounds

  • Disable the stathost feature in tinyproxy.conf by commenting out the StatHost directive if statistics are not required.
  • Bind Tinyproxy to a loopback or management-only interface using the Listen directive to prevent untrusted networks from reaching the proxy.
  • Place Tinyproxy behind an authenticating reverse proxy that strips or validates client-supplied Host headers before forwarding.
bash
# Configuration example: harden tinyproxy.conf
Listen 127.0.0.1
Port 8888
# Remove or comment out StatHost if not strictly required
# StatHost "tinyproxy.stats"
Allow 127.0.0.1
Allow 10.0.0.0/8

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne