CVE-2026-55767 | Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, Co… | CVSS 5.8 MEDIUM

Description

Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, CookieJar incorrectly accepts cookies with a dot-only Domain attribute and whitespace-padded variants. SetCookie::matchesDomain() removes leading dots from the cookie domain, normalizing dot-only values to the empty string; SetCookie::validate() only rejected a strictly empty domain, so these cookies could be stored and the empty normalized domain was treated as matching any request host. An attacker-controlled origin that an application requests with a shared cookie jar can therefore set a cookie that Guzzle later sends to unrelated hosts using the same jar. This may allow cookie injection or session fixation against downstream services, depending on how those services interpret the injected cookie. This vulnerability is fixed in 7.12.1.

Metadata

CVE ID: CVE-2026-55767
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-17 14:34 UTC
Published: 2026-06-23 15:05 UTC
Last updated: 2026-06-23 17:47 UTC
Primary CWE: CWE-346
CWE-346: Origin Validation Error
Vendor / Product: guzzle / guzzle
Sources: cve.org · NVD

Severity & Metrics

5.8 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
guzzle	guzzle	—	< 7.12.1

Weakness (CWE)

CWE	Source	Description
CWE-1286	cna	CWE-1286: Improper Validation of Syntactic Correctness of Input
CWE-346	cna	CWE-346: Origin Validation Error

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.8	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

References (1)

https://github.com/guzzle/guzzle/security/advisories/GHSA-cwxw-98qj-8qjx https://github.com/guzzle/guzzle/security/advisories/GHSA-cwxw-98qj-8qjx