Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-8450

CVE-2026-8450: Perl HTTP::Daemon RCE Vulnerability

CVE-2026-8450 is a remote code execution vulnerability in Perl HTTP::Daemon that enables OS command injection via send_file(). This article covers the technical details, affected versions, and mitigation strategies.

Published:

CVE-2026-8450 Overview

CVE-2026-8450 is an OS command injection vulnerability in the Perl HTTP::Daemon module affecting versions before 6.17. The flaw resides in the send_file() function, which passes its string argument to Perl's 2-argument open(). The 2-argument form interprets magic prefixes such as | cmd, cmd |, > path, and >> path, allowing pipe-to-subprocess and file write semantics. Attackers who can supply untrusted input to send_file() can execute arbitrary OS commands under the daemon's UID, exfiltrate subprocess stdout through the HTTP response body, or create and truncate files at attacker-chosen paths. The issue is categorized as External Control of File Name or Path [CWE-73].

Critical Impact

Untrusted input passed to send_file() executes OS commands at the daemon process UID and can overwrite or create arbitrary files on the host.

Affected Products

  • HTTP::Daemon for Perl, all versions prior to 6.17
  • Perl applications and CPAN modules that invoke HTTP::Daemon::send_file() with untrusted input
  • libwww-perl ecosystem deployments shipping HTTP-Daemon before 6.17

Discovery Timeline

  • 2026-05-27 - CVE-2026-8450 published to NVD
  • 2026-05-27 - Public discussion on the Openwall oss-security mailing list
  • 2026-05-27 - Patch commit 945d3514 merged via pull request #89 in the libwww-perl/HTTP-Daemon repository
  • 2026-05-27 - HTTP-Daemon 6.17 released on CPAN containing the fix
  • 2026-05-27 - Last modified in NVD database

Technical Details for CVE-2026-8450

Vulnerability Analysis

The vulnerability stems from HTTP::Daemon::send_file() opening its file argument with Perl's 2-argument open() form. Perl's 2-argument open() interprets metacharacters in the filename string rather than treating the argument as a plain path. A leading | or trailing | causes Perl to spawn a shell pipeline and connect the file handle to the subprocess. A leading > opens the target path for writing and truncates it, while >> opens it for append.

When a server built on HTTP::Daemon derives the send_file() argument from request data such as URL path components, query parameters, or header values, an attacker controls the open mode. Submitting id | causes the daemon to execute id and stream the output into the HTTP response body. Submitting > /etc/cron.d/backdoor creates or truncates that path with daemon-process privileges.

The attack requires no authentication and operates over the network, as the affected code path is reached by ordinary HTTP requests handled by the daemon.

Root Cause

The root cause is the use of Perl's 2-argument open() on attacker-influenced input. The 2-argument form overloads the filename string with mode semantics, conflating data and control. The fix in commit 945d3514 switches to the 3-argument open() form, which separates the mode parameter from the path and treats the path strictly as a filesystem name. This eliminates the magic interpretation of |, >, and >> prefixes.

Attack Vector

Exploitation requires sending a crafted HTTP request to a server that forwards request-controlled data into send_file(). A request whose target maps to a value such as whoami | triggers subprocess execution, with stdout returned in the response. A request mapping to > /var/www/html/shell.cgi truncates or creates that file at the daemon's UID, enabling staged file-write to code execution chains. No user interaction is required and the vulnerable function path is exposed wherever the daemon serves user-influenced filenames.

No public proof-of-concept code is referenced in the advisory. Technical details are available in the libwww-perl HTTP-Daemon patch commit, pull request #89, and the Openwall oss-security discussion.

Detection Methods for CVE-2026-8450

Indicators of Compromise

  • HTTP request URIs, query strings, or headers containing pipe characters (|), redirection operators (>, >>), or whitespace-prefixed shell tokens that map to a send_file() argument.
  • Unexpected child processes of the Perl daemon process spawning shells, sh, bash, or system utilities such as id, whoami, curl, or wget.
  • New or truncated files in web-served directories or system paths created with the daemon's UID and recent modification times.
  • HTTP response bodies containing command output such as user IDs, directory listings, or system banners returned by static file endpoints.

Detection Strategies

  • Inventory Perl deployments for HTTP-Daemon versions below 6.17 using cpan -D HTTP::Daemon or package manager queries.
  • Inspect application source for direct or indirect calls to HTTP::Daemon::send_file() that pass request-derived strings.
  • Apply web application firewall rules that flag request paths containing |, >, or >> against endpoints backed by the daemon.
  • Correlate process-tree telemetry to identify Perl interpreter processes spawning shell children, which is anomalous for static file serving.

Monitoring Recommendations

  • Forward Perl daemon access logs and process execution events into a centralized analytics platform for retrospective hunts on suspicious request patterns.
  • Alert on file creation or truncation events in web roots and system configuration directories attributed to the Perl daemon UID.
  • Monitor outbound network connections initiated by the daemon process, which should not normally make egress connections during file serving.

How to Mitigate CVE-2026-8450

Immediate Actions Required

  • Upgrade HTTP-Daemon to version 6.17 or later from CPAN on every host running affected Perl services.
  • Audit application code for calls to send_file() and remove any path that originates from HTTP request data without strict validation.
  • Restart Perl daemon processes after upgrade to ensure the patched module is loaded into memory.
  • Run the daemon under a least-privileged service account so that any residual code execution is contained.

Patch Information

The fix is delivered in HTTP-Daemon 6.17, published on CPAN. The upstream patch is commit 945d35141d94490f749640bd4390acd6a2193995, merged via pull request #89. The change replaces the 2-argument open() call inside send_file() with the 3-argument form, which forces the path argument to be interpreted strictly as a filesystem path. Release notes are available in the MetaCPAN changes log for HTTP-Daemon 6.17.

Workarounds

  • If immediate upgrade is not possible, wrap calls to send_file() with a sanitizer that rejects any string containing |, >, <, leading or trailing whitespace, or null bytes.
  • Resolve user-supplied filenames against a fixed base directory using File::Spec and verify the resolved path with -f before passing it to the daemon.
  • Restrict the daemon to a chroot or container with a read-only filesystem to limit the impact of write-mode abuse.
  • Place the Perl daemon behind a reverse proxy that normalizes request paths and strips shell metacharacters before forwarding.
bash
# Configuration example: upgrade HTTP::Daemon and verify version
cpanm HTTP::Daemon@6.17
perl -MHTTP::Daemon -e 'print "$HTTP::Daemon::VERSION\n"'
# Expected output: 6.17 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne