CVE-2026-39807: CVE-2026-39807: Transport-State Spoofing via Untrusted URI Scheme in Bandit HTTP …

1 / 2

CVE-2026-39807: CVE-2026-39807: Transport-State Spoofing via Untrusted URI Scheme in Bandit HTTP Server

DEV Community·CVE Reports·26 days ago

#mKMmdjMt

#exploit #security #cve #cybersecurity #bandit #state

Reading 0:00

15s threshold

CVE-2026-39807: Transport-State Spoofing via Untrusted URI Scheme in Bandit HTTP Server Vulnerability ID: CVE-2026-39807 CVSS Score: 6.3 Published: 2026-05-07 The Bandit HTTP server prior to version 1.11.0 contains a transport-state spoofing vulnerability. The application incorrectly prioritizes the client-supplied URI scheme over the verified transport-layer encryption status. This allows unauthenticated attackers to spoof the connection state as secure (HTTPS) over a plaintext connection, bypassing security middleware and exposing secure cookies. TL;DR A logic flaw in the Bandit HTTP server allows attackers to forge the connection scheme. Sending an absolute-form HTTP request over a plaintext connection causes the server to treat the request as HTTPS, bypassing SSL redirects and leaking secure cookies.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

CVE-2026-39807: CVE-2026-39807: Transport-State Spoofing via Untrusted URI Scheme in Bandit HTTP Server