{“lastseen”:””,”description”:”Reliance on Untrusted Inputs in a Security Decision vulnerability in mtrudel bandit allows unauthenticated transport-state spoofing on plaintext HTTP connections.\\n\\n’Elixir.Bandit.Pipeline’:determine_scheme\/2 in lib\/bandit\/pipeline.ex returns the client-supplied URI scheme verbatim, ignoring the transport’s secure? flag. HTTP\/1.1 absolute-form request targets (e.g. GET https:\/\/victim\/path HTTP\/1.1) and the HTTP\/2 :scheme pseudo-header are both attacker-controlled strings that flow through this function. Over a plaintext TCP connection, a client can declare https and Bandit will set conn.scheme = :https even though no TLS was negotiated.\\n\\nDownstream Plug consumers that branch on conn.scheme are silently misled: Plug.SSL’s already-secure branch skips its HTTP\u2192HTTPS redirect, cookies emitted with secure: true are sent over plaintext, audit logs record requests as having arrived over HTTPS, and CSRF\/SameSite gating may make incorrect decisions.\\n\\nThis issue affects bandit: from 1.0.0 before 1.11.0.”,”published”:”2026-05-01T20:34:22.832Z”,”modified”:”2026-05-01T20:34:22.832Z”,”type”:”cve”,”title”:”Client-supplied URI scheme trusted without transport verification in bandit”,”source”:”EEF”,”references”:”https:\/\/github.com\/mtrudel\/bandit\/security\/advisories\/GHSA-375f-4r2h-f99j\\nhttps:\/\/cna.erlef.org\/cves\/CVE-2026-39807.html\\nhttps:\/\/osv.dev\/vulnerability\/EEF-CVE-2026-39807\\nhttps:\/\/github.com\/mtrudel\/bandit\/commit\/45feea20dea8af7ffd7245271107b695c040e667″,”id”:”CVE-2026-39807″,”bulletinFamily”:””,”cwe”:[“CWE-807″],”cvelist”:null,”sourceData”:”mtrudel bandit 1.0.0\\nmtrudel bandit ff2f829326cd5dcf7335939aef9775269d881e28″,”sourceHref”:””,”cvss”:{“score”:6.3,”severity”:”MEDIUM”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:P\/PR:N\/UI:N\/VC:L\/VI:L\/VA:N\/SC:N\/SI:N\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”bandit”,”version”:”1.0.0″,”vendor”:”mtrudel”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”Reliance on Untrusted Inputs in a Security Decision vulnerability in mtrudel bandit allows unauthenticated transport-state spoofing on plaintext HTTP connections.\\n\\n’Elixir.Bandit.Pipeline’:determine_scheme\/2 in lib\/bandit\/pipeline.ex returns the client-supplied…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,23,12,21,13,7,11,5],"class_list":["post-50816","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-63","tag-exploit","tag-medium","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n