Description

Reliance on Untrusted Inputs in a Security Decision vulnerability in mtrudel bandit allows unauthenticated transport-state spoofing on plaintext HTTP connections. 'Elixir.Bandit.Pipeline':determine_scheme/2 in lib/bandit/pipeline.ex returns the client-supplied URI scheme verbatim, ignoring the transport's secure? flag. HTTP/1.1 absolute-form request targets (e.g. GET https://victim/path HTTP/1.1) and the HTTP/2 :scheme pseudo-header are both attacker-controlled strings that flow through this function. Over a plaintext TCP connection, a client can declare https and Bandit will set conn.scheme = :https even though no TLS was negotiated. Downstream Plug consumers that branch on conn.scheme are silently misled: Plug.SSL's already-secure branch skips its HTTP→HTTPS redirect, cookies emitted with secure: true are sent over plaintext, audit logs record requests as having arrived over HTTPS, and CSRF/SameSite gating may make incorrect decisions. This issue affects bandit: from 1.0.0 before 1.11.0.

INFO

Published Date :

2026-05-01T20:34:22.832Z

Last Modified :

2026-05-02T04:17:33.243Z

Source :

EEF
AFFECTED PRODUCTS

The following products are affected by CVE-2026-39807 vulnerability.

Vendors Products
Mtrudel
  • Bandit
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-39807.

URL Resource
https://cna.erlef.org/cves/CVE-2026-39807.html cve-icon cve-icon
https://github.com/mtrudel/bandit/commit/45feea20dea8af7ffd7245271107b695c040e667 cve-icon cve-icon
https://github.com/mtrudel/bandit/security/advisories/GHSA-375f-4r2h-f99j cve-icon cve-icon cve-icon
https://osv.dev/vulnerability/EEF-CVE-2026-39807 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability